Mikko Hypponen – TALKS WITH PETRI
Mikko Hypponen talks about how to protect your company against security threats, why ransomware is so common, the future of cyberwars and why you should trust the cloud. He also reveals how he crashed his customer’s brand new car.
Mikko Hypponen is a global security expert. He has worked at F-Secure since 1991.
Mr. Hypponen has written on his research for the New York Times, Wired and Scientific American and he appears frequently on international TV. He has lectured at the universities of Stanford, Oxford and Cambridge.
He was selected among the 50 most important people on the web by the PC World magazine and was included in the FP Global 100 Thinkers list.
Mikko has a book out on the topics we discussed, see https://ifitssmartitsvulnerable.com for more information.
(NOTE: The text may contain errors, misconceptions and even comical unintended contexts. Please use it only as a reference to the actual audio conversation from where it has been transcribed.)
Petri: Hello Mikko, welcome!
Mikko: Hello Petri, and thanks for having me!
Petri: It’s so great to have you here. I think it’s almost like ten years when we’ve seen each other eye to eye.
Mikko: Yeah. Time flies, that’s the way it goes. And they tell me it’s only going faster year by year.
Petri: Maybe we’re getting old?
Mikko: Oh no, no. Don’t say that!
Petri: How many of the Fortune 500 companies are being hacked right now?
Mikko: I know exactly how many.
Petri: Well, tell me!
Mikko: 500 of the 500 are being hacked right now.
Petri: How’s that possible?
Mikko: It’s pretty easy, actually. One of the main challenges we have in information security is that complexity is the enemy of security. The more complex your networks are, the harder they are to defend, the bigger your networks are, the harder they are to defend.
Every single Fortune 500 company has more than 100 000 workstations. If you have a hundred thousand workstations, I can tell you what you have. You have a breach and you have it right now. You simply cannot control every single one of your laptops, desktops, and servers at the same time without having at least a minor breach somewhere at every time.
Petri: That’s quite depressing, isn’t it?
Mikko: It is and it isn’t. It’s a good example of the attitude change that we strongly need in the world of computers. Especially, large companies, there’s massive investment being put into trying to secure the data due to fight against data leaks, against data breaches, against hacks. When you’ve invested hundreds of thousands or millions into your security systems and firewalls and intrusion prevention mechanisms, the last thing you want to think about is that those would fail.
And that’s exactly what you should be thinking about. You should be thinking about that how will you detect when your defenses fail? How do you detect that you have a breach because that changes your mindset from trying to keep all the badness out at all times, to realising that there will be a beach and you will have to be able to detect the breach very quickly if you want to be able to react to the breach.
Petri: That reminds me of Netflix and their philosophy that all of their servers are failing and they have to be resilient.
How viable is this for smaller companies like startups? In Fortune 500, they have a bit more resources than a company with a hundred, fifty, or twenty people.
Mikko: It’s a little bit different, but I suppose there are some general truths about trying to protect your data and trying to protect your privacy, which applies at all levels all the way from enterprises to small companies, to medium-sized companies, to startups, to individuals like things that speed is the enemy of security, which is another truth.
Complexity is the enemy of security. Speed is the enemy of security. And especially with startups, this is a very common pitfall. The faster you move, the faster you develop, the first that you deploy, the less time you have for bug checking or quality assurance or testing. And that is just something you have to take into account whether you like it or not.
Petri: What are your top tips for startups? Let’s just take a regular startup, which is not, well, every company is a software company, but I mean that they may not exactly be just building software, but just general security in a company. Then we can go more into a software development company.
Mikko: First of all, starting a startup has changed so much from the technology point of view to what it used to be like. I know it feels funny nowadays, but starting a startup used to mean that you bought a server. One of the first things you did is that when you start hiring people, you get the facilities where you can work from then you buy a server, so you can have email.
Of course, nobody runs their own email server. This is a great example how cloudification has made it so much easier to start new companies. You don’t need infrastructure. You don’t need to own anything. When you grow, since everything is in the cloud, it’s just a punch of the button to have more resources for file storage or websites or service.
My tip here is to trust the cloud. Cloud works. Most startups choose to go for AWS or Azure or Google Cloud Engine. Not just because they give you this versatility, but also because they are more secure. Microsoft, Amazon and Google invest millions and millions to secure these cloud networks.
Normal companies can never afford the same level of security. So, it is a good idea to use the cloud, but of course you have to use it, right. If everything is in the cloud, then the crucial part is the authentication. What kind of password mechanisms and authentication mechanisms you use? Do you share passwords with users?
Do your users use the same password everywhere? Things like these. Technology can enable so much good, but you have to be able to use it right.
Petri: Does this apply only for the big guys, Google and AWS? You don’t see what’s happening in the other end. Where’s the limit? When should you really do some DD to the suppliers? Can you trust the smaller service providers?
Mikko: This is a very tough problem. How did you know that your suppliers do what you want them to do? Not just what they promise to do. One of the biggest problems we’ve seen in practice over the last year in information security has been widespread supply chain problems. Some of these have made general headlines like the SolarWinds saga. SolarWinds is a US publicly listed company, which makes IT-management systems for very large networks.
The idea in supply chain attacks is that if the attacker wants to break into an organisation’s network, but can’t because the organisation has protected them themselves good enough. Then they find another way in. They figure out the technology the target is using and hack the providers of that technology instead.
For example, in the SolarWinds’ case, we don’t know exactly which US agency was the target. But the Chinese wanted to break into a US agency and couldn’t do it. So, then they hacked SolarWinds and simply waited for the target to apply the latest SolarWinds’ software into their network. And those were backdoored by the Chinese, which meant they gained the access indirectly. This is a hard problem to solve.
In fact, if you follow these steep enough, eventually, you end up discussing about the security of the microcode in our CPUs. How do you know exactly what Intel is doing inside the latest CPU, which you run in your computers? Or what’s inside Nvidia GPUs? The fact is these have become so complex that nobody knows anymore.
Petri: This was actually one question a friend of mine wanted to ask and it’s related to exactly this hardware thing. Your phone is supposed to be the most secure device you have compared to your computers and laptops. That’s what I learned by doing a bit of research. But can you really trust your Android?
Because most of them are done in China and the hardware level there. Is there a secure Android phone in a sense that you can be sure that there’s no backdoors or is the data always piped to some government agencies or some other parties?
Mikko: There’re no guarantees. But that applies to everything. There’s no guarantees your Apple is a hundred percent safe either, or your iPhone is completely free of all possibilities of backdoors. We don’t know. There’s so many components coming from so many different suppliers. We just have to hope for the best.
Regardless of that, your Android device is massively more secure than your Macbook laptop or your Windows desktop. A traditional computer, real computers are not nearly as secure as these toys, these mobile phones. This is not the way we typically think about it. We think about that real computers have real security.
Then we have these mobile devices, which are just mobile devices. Actually, the operating systems like Android and iOS or iPadOS are massively more secure than your Windows 10 or your latest version of MacOS. This is because they are more restricted. This is a trade-off between restrictions and security.
This isn’t so easy to see. Especially, from the point of view of a normal end user. If you give someone a brand new M1 Macbook and a brand new iPad Pro with an integrated keyboard, they’re basically the same device. The iPad has a touch screen, but otherwise it’s the same.
You can do everything with both of them. They are very powerful. You can browse the Web. You can play games. You can use Photoshop. You can do everything with both of them, but there is one crucial exception, which is that Macbook is a computer. If you are a programmer, you can sit down and write a program for your computer.
Once you’ve written your program, then you can run your program on your own device, and you can give you a program to your friend and he can run it on his device. You cannot, you are not allowed to do this on your iPad. You’re banned from doing this. This is forbidden. The only way you are allowed to run your own program on your own iPad is that you write the program and then you send it to Apple, to California to be approved.
And if Apple agrees and approves, and blesses your program, then, and only then, you get the right to run it on your own device. And this is a very, very restrictive model, but it’s also a very secure model. It’s the same model we see elsewhere like in your PlayStation or in your Xbox. That’s the same model.
Those are also very, very restrictive environments. They are computers just like any other computer, but it’s a computer, you, the owner don’t have the right to program and you can only run the programs , which have been approved by the vendor. The fact is Microsoft, one of the largest operating system manufacturers on the planet, the most secure version of Windows that they are shipping right now is inside Xbox. It’s inside a goddamn games console. Isn’t that weird?
Petri: Well, that’s quite funny. Now, I understand why some are having business meetings in some of the multiplayer games.
Mikko: Yeah. I’ve actually seen someone was doing meeting inside Fortnite. If you disagree with someone else in the meeting, you can just shoot them.
Petri: Yeah. I heard that sometimes it’s an unintended consequence. But maybe sometimes it’s just a bit of venting, chill out.
How about then, if you’re building a software startup and you need to basically own the cloud for the other people. You’re responsible of the data. How do you secure that data? What are the other measures you need to take into account when you starting from scratch, maybe it’s yourself and a dog?
Maybe you building a new company, Mikko? You start to build from scratch. But you’re planning to make it to 20, 50, 100, 500 people and more. How do you do it right the first time and how do you scale it? Are there different steps as well?
Mikko: Well, how would I know. I’ve always been working at the same company and it’s not my company. I haven’t grown a startup from a man and a dog…
Petri: You were there pretty much from the beginning, weren’t you?
Mikko: Yeah. I was an early employee with F-Secure, but it’s not my company. That’s not really the same thing, is it? But…
Petri: Yeah, that’s true. But I guess you’ve seen quite a lot.
Mikko: I’ve seen the company grow. I’ll give you that.
Sure, sure. We’ve done so many mistakes over the years with F-Secure. I think that’s one of the best ways to learn really. One thing I think is a universal fact, is that don’t try to invent stuff which has already been invented. Nowadays, with all the access to shared open source code and things like GitHub and Stack Overflow and well documented and understood libraries make this possible.
A perfect example on avoiding pitfalls when you’re trying to build services for others, is that don’t try to implement complex things like encryption algorithms. That’s going to fail. You will not get it right. And we do have known tested, trusted algorithms, which do get it right. That’s the perfect way of thinking about this.
It’s also a question about when you see an opportunity, you don’t always have to take it. You should really consider it. I remember very well in the early years of F-Secure, back then when the company was still called Data Fellows, when the Web started growing, and Netscape, the browser, invented this great new innovation SSL encryption, which we nowadays call TSL encryption.
That’s the HTTPS connection between between different services. Initially, it was only meant for online shops. If you wanted to buy something online, you needed a way to encrypt your credit card numbers. That’s the initial use case for SSL and HTTPS. And I remember we realised that, Hey, there’s a new business here. Because for this encryption to work, there has to be a certificate.
And a certificate has to be issued, basically sold by someone. And in practice, that certificate is just a text file. It’s just a text file. You’re selling nothing. You’re selling trust. Certificate vendors, sell trust that you can trust us to safeguard these certificates and make sure they are issued to the right parties.
We considered, whether we should go, whether F-Secure should go into this certificate, vendor business. Whether we should start selling these. We realised early on that there might be a business opportunity there. Because if you’re only selling trust, Finland is one of the most trustworthy countries on the planet, according to different institutions.
We already had been around for a couple of years. We considered ourselves to be a trustworthy partner. We did consider going into this business. However, after doing some thinking about it, then we decided not to do it. We wanted to stick with endpoint security solutions and software security solutions we’re not going to do.
Of course, in hindsight, we lost millions and millions in money. They were very few vendors in the business at that early time back then. One of the biggest success stories started next year. They started, well, not from one of the least corrupted countries in the world.
They started from South Africa. That was the company called Thawte, which later sold itself to Verisign for a billion dollars. And the founder, Mr. Mark Shuttleworth went on to start Ubuntu with the money he made from that business deal.
However, no hard feelings. We did not miss that opportunity. We saw the opportunity. We saw here is something we could do, and we thought it through and we actively decided not to do it. I would have a much bigger remorse if we would have missed that opportunity. We didn’t miss it. We decided not to pursue it. And that might have been the wrong decision, but I have no regrets about it.
Petri: Do you think it’s still possible to build a startup who is in the security business and your main clients are big corporates because you need that trust and you need to build somehow that credibility? Or is that established companies game nowadays?
Mikko: It is possible to start new startups. We see it happening all the time. But the challenge you mentioned is a very real challenge and a typical way startups try to tackle that nowadays is by building advisory boards and bringing in known and trusted figures who can vouch for the company, go through the technology and then use their reputation to vote for it.
That seems to work to some extent. But it’s a little bit weird seeing new startups entering this picture with completely different business models than what I used to know and think. I had a very eyeopening meeting maybe three years ago. I was at Google in California.
There was this Google Cloud Engine meetup. During the lunch break, I ended up sitting next to these two Dutch guys and they had this startup from somewhere close to Amsterdam. They had taken in gazillions of VC money and used the money to hire PhDs in AI, which, of course, are very hard to get, but you get them if you have the money.
They had spent all of their investment to hire these brains. What they were doing didn’t make much sense to me at all. Because they were building these machine learning mechanisms to detect anomalies inside processes, inside Google Cloud Engine. I couldn’t figure out how they would make any money with that.
Obviously, it was a very expensive operation to run and I couldn’t see how they could make it profitable. So, I asked the guy, the founder. Okay, what exactly is your business model? And he told me that, well, we have no business model. We’re just trying to get acquired by Google.
Mikko: I haven’t checked lately, but I’m pretty sure they did get acquired by Google.
Petri: Well, that’s a high bet strategy if you’re just doing it for Google.
Mikko: What’s the downside? Your company doesn’t succeed. It doesn’t get bought by Google and then VCs will lose their money.
Petri: And, you will lose your time building the company.
Mikko: Yeah, okay. That’s true. It’s not that easy, isn’t it? But it was a really eye-opening discussion. I tried, for the life of me, to figure out how do they make any money with this. And the answer was they weren’t trying to make any money.
Petri: This reminds me of another conversation you had. Was it also with Google? Was it even in the same lunch where you made the parties really silent, then nobody wanted to talk anymore?
Mikko: I know what you’re referring to, but that meeting wasn’t that Google California. That was actually at Google Switzerland. I managed to crash the mood of a lunch meeting. We were having lunch with maybe ten Google engineers and chit-chatting about this and that and games and TV series, and what have you.
Then I started talking about nation states and attacks against players, which stored the world’s data, the big cloud providers. The thought I just floated was that isn’t it so that the biggest intelligence agencies on the planet wouldn’t be doing their job if they weren’t already trying to get moles to work inside the biggest cloud providers on the planet, like have their own employees recruited to work inside AWS or Azure or Google.
Everybody was nodding their heads. Yeah, yeah, yeah. Sounds right. Yeah, that’s correct. Yeah. They probably are trying to do that. Yeah. Yeah. Which means there probably are foreign intelligence agency moles working inside Google. Then everybody started looking at each other around the table back and forth, and everybody went awfully silent.
You end up in a really paranoid situation where you start to suspect your workmates to work for a foreign intelligence agency.
Petri: I would imagine that you didn’t kill just the lunch, but probably that’s something you’re going to erase ever from working on those companies and in that field because how can you? Because that’s what happens and isn’t that actually what’s happening more and more nowadays?
How can you describe the situation nowadays that there’re government agencies actively hacking companies and doing stuff, and they trying to find all the possible cyberware available to find these hacks and exploits, but then there’s also the temptation to utilise that for the gain of the private companies as well? So, there’s a lot of people knocking on your doors, at least virtually.
Mikko: That’s correct. And the whole idea of government writing malware would have been so hard to believe early on during my career. When I started analysing malware in the early 1990s, all of the viruses were being written by teenage boys for fun. It was sort of like a fun game that we were playing against them.
We would find a new virus and we would try to decode it. And of course, the virus writers were trying to make it hard for us to figure out how the code worked. They had encrypted it and there’s all kinds of booby traps. And we would find all of them and decrypt their riddles and solve them and named the new virus and that detection.
And then excitedly, we were waiting for the next case. Sort of like playing a game of chess against an unknown enemy. But anyway, again, that’s what it felt like in the early days, even though it was a business. We were selling anti-virus solutions, but this is how it felt like. But then slowly and surely it’s changed and all these happy hackers of yesteryear have disappeared.
Nowadays, it’s all about organised crime gangs, making tons of money with ransomware and banking trojans and keyloggers, or it’s what you were just referring to governments, intelligence agencies, militaries, which use offensive cyber power for espionage and for sabotage and in extreme cases for waging war as well.
It has totally changed the nature and the value of software vulnerabilities or exploits that target software vulnerabilities.
Petri: Is this sort of the theme of this decade now that it’s getting more like an ordinary thing and another type of thing we have to take care of? So, it’s not just ransomware, which is quite dominant nowadays, but also that if you building something, which has potentially high value that you have to be quite paranoid. Now, I start to understand the CEOs who are running their business just from their mobile phone, or maybe from their Xbox.
Mikko: I don’t think any executive is running their business from their Xbox yet, but it might not be a stupid idea. But, if you think about cyber weapons, whether you use it for espionage or sabotage, they make a lot of sense. Cyber weapons make a lot of sense from the point of view of the attackers, from the point of view of nation states, when you compare cyber weapons to traditional weapons. Cyber weapons are effective, affordable, and deniable.
You have a weapon which is affordable. It’s cheap. It gets the job done, and you can deny that it wasn’t us. This is something you cannot do with traditional weapons, like a B-52 doing bombing runs, but you end up with comparable end results. For example, if you think about Stuxnet from 2010. Provably United States and Israel were able to delay the uranium nuclear enrichment program by maybe 18 months, purely with software attacks.
They could have done a physical attack. Instead, they could have done a B-52 run and bombed down the Natanz enrichment plant or its supporting facilities around it. But it was probably cheaper and more effective to do it with a piece of malware and the best part is it’s deniable. We know it was The United States and Israel.
They are still denying it today and there’s no way for us to prove this.
Petri: What should you do as a CEO, as a company owner, or a private party trying to do your business, and then there are these huge resource available for the government agencies and other parties who are trying to knock on your doors not in a nice way?
Mikko: You should realise that you, as a business leader, have limited resources to fight against them. You should put your resources into the right place. And that means you have to do your threat assessments correctly. You have to understand who is likely to attack you. Who are you fighting against?
Because you don’t want to use your limited resources to fight against an enemy, which is never going to attack you. Should you worry about nation states? Is your company a target for foreign intelligence agencies? Do you have to worry about activists? Do you do something which will make people angry at your business?
For example, if you pump oil out of the ground. People will have very strong feelings about that now. Whereas people might have very strong feelings about mining cryptocurrencies, for example. That will create attitudes against your organisation. And you have to, in some cases, fight attacks done by those people.
Or do you have to worry about criminals? People who are interested in stealing from you? Or do you have to worry about corporate espionage? Do you have to worry about parties, which might make you to look bad or embarrass you? Do you have enemies? And the answers to these questions are different for different organisations.
If you have a company which delivers food. That’s a very good target for financially motivated attacks, but it’s unlikely to be a target for foreign intelligence agencies. There’s nothing interesting in there from the point of view of foreign intelligence. They don’t need to know who ordered which pizza at what time. That’s not the most important piece of information.
They would much rather target governmental targets or military targets or military contractors or targets like that. But it all starts from understanding who are you? What is your business? What do you do? Who would like to hurt you? Who would like to steal from you? And when you have an understanding of that then, and only then, you can start to put your limited resources and limited budget into the right place.
Petri: Are there countries, geographical locations, which are better, if you have sensitive security stuff or data. You have a limited resources, maybe you’re not a big corporation yet, but is there some governments who are more friendly to support you and lend their resources and actively be the big brother for you in a positive way against these other big brothers, who are trying to knock on the door or do we just need to be suspicious of anyone who is trying to help you?
Mikko: I don’t really think that any government is doing a good job in defending their citizens or the companies in that country against foreign threats. If this is going to happen, it’s it’s yet to happen. I had a very interesting discussion here in Finland with one of the generals of the Finnish military.
The question I had was okay, who defends Finland against cyberspace attacks? And he told me that, well, he is not sure, but definitely it’s not them. It’s not the military. It’s not their job. They defend Finland’s independence against foreign attacks, but in their mandate there’s nothing about defending against attacks in cyberspace.
Petri: Yeah, It’s a foreign attack still if it’s done by a foreign party. So, I think it’s semantics in a way.
Mikko: No, no. They have no mandate to work there at all. They can’t give orders. They don’t have the resources. It’s not their job. And this seems to be a pretty common story around the world. Geopolitics, definitely, play a part. We see this being a vendor, F-Secure as a vendor in this space.
We’re one of the biggest computer security vendors out of Europe. Which sounds fancy, but it’s not saying much because Europe doesn’t have very big security software vendors at all. There’re basically a handful. Some companies you might know. Some companies you probably don’t know, companies like Sophos and Avast and Avira and F-Secure.
But the really big players come outside of Europe. They come from the United States, they come from Asia and they come from Russia. Then when we go into the global marketplace as a European vendor, especially as a Finnish vendor, this sometimes does matter. I’ve been in discussions where companies are interested in consulting services or software security services, but they don’t want to buy Chinese and they don’t want to buy Russian and they don’t want to buy American.
Then you have much less options left. Finland as a neutral country, pretty neutral, actually, even the fact that Finland is not part of NATO has been in some of these discussions. And again, one of the least corrupted countries in the world, this has at some discussions been to our advantage.
Not always, obviously, but sometimes it does matter. This is something which, I hope we would be able to use more to our advantage. Overall, I’m really disheartened by the lack of technology leadership out of all of Europe. When we look at the biggest technology success stories, which come out of Europe, we have pretty much nothing.
When we do have the rare success story, it’s almost always fairly quickly sold either to the West or to the East, as we’ve seen. We really should be doing better. One of the most demoralising lists I’ve seen recently was the list of publicly-listed like stock exchange listed technology companies out of Europe. The first two entries on the list were Accenture and Prosus.
Accenture is headquartered in Ireland, but I don’t really think it’s a European company. Most people don’t think about it as a European company. And second of all, I don’t really think it’s a technology company either, but it was the biggest based on stock value.
Number two, Prosus. That’s actually South African company, not a European company at all. It’s just listed in Amsterdam Stock Exchange and their valuation doesn’t come from anything which has anything to do with Europe really. Their valuation comes from the fact that they were early investors in Tencent, maybe in Alibaba as well.
It doesn’t get much worse than that, does it? The European success stories are South-African companies investing in China.
Petri: It puts me to think that maybe that’s also one of the strategies: buy them early before they become too big. You can get them to the US or Chinese or whatever jurisdiction you want to have them.
Mikko: Yeah. And I think jurisdiction and regulations and rules, maybe are part of the problem. Europe doesn’t have a unified common marketplace like United States, for example. But then again, Europe is much bigger than the United States. In fact, it’s quite remarkable when you look at the amount of Internet users and then different regions of the world, the United States, when you look at the amount of Internet users is so tiny, it doesn’t even matter.
There’s much more users coming from Asia. More users coming from Africa. Twice as many Internet users in Europe than in the United States. There’s more Internet users coming from South America yet all the services we use outside of local media are US services. US cloud, US operating systems, US search engines, US social media.
It’s remarkable how well they’ve been able to rule and become the kings of the Internet. This might now slowly be changing. If you look at, for example, Alexa, which lists the most visited website in the world, out of the top 15 websites in the world, eight are now Chinese and seven are from the United States.
Petri: We have examples like TikTok policies, the data security or non-security and there’s a lot of these things where Europeans have already, for some time, being the ones who are taking whatever is given. The Americans also are starting to experience this now that there are things that are built in Asia and China and the other parts of the world, and you are not telling what to do or you’re feeling not so comfortable and probably things are not customised.
How do you see the future in this field?
Mikko: This is exactly the reason why we’ve seen the US leaders, especially Trump, react with these knee-jerk reactions when they realise that suddenly the most downloaded mobile application in the world is not American. In fact, it’s coming from China. Well, then they have to do something. Then they have to ban it. Or, when they realised that vendors like Huawei or Xiaomi are becoming a very real threat to the local US-based mobile phone vendors, they have to artificially restrict access to these technologies. And I think Xiaomi is a great example and Huawei as well. If you forget about the infrastructure and base station and 5g discussion for a while, and just think about handsets. You look at the most sold mobile phones in Europe.
You look at the top 10 lists and you have OnePlus, Xiaomi and Huawei on every list, pretty much in every country. Then you go to the United States and you won’t find them in the top 30 at all, because you can’t buy them. You have to jump through hoops to find them in any meaningful way.
That’s not natural at all. Obviously, there are worries about national security, but I think there’s also very strong hints about trade war, where USA is realising that China is very much rising. The same reaction we see from USA now against applications like TikTok. That’s the same situation where we Europeans have been for years and years. The technology and the applications and the solutions we use are not local.
They’re being built in far away places by regimes, which don’t care about us and our rules and our traditions and our legislation at all. And who won’t it down to discuss these details with us at all. That’s what we’ve been working with in Europe for four years and years. And now, when the Americans, for the first time, are faced with the same situation, it seems to be a very tough lesson for them.
Petri: You did an experiment sometime ago that you tried to live without Google. How did that go?
Mikko: Oh, it failed spectacularly. It’s not possible. I’m not challenging anyone to try it because you won’t succeed. Sure, living without the search engine, that’s doable. But that’s not Google. Google is everywhere. if you want to live without Google, you have to avoid all of their services.
Gmail, Google Docs, Google Analytics, Google Ads. Every website you visit is loading Google Analytics and using that to track you. You can try to find your ways around that, but it’s hard and painful. Then you have services like YouTube. This is what broke my back. People sending me links like, hey, this is very important. Check out this video and it’s on YouTube. What the hell am I supposed to do? The only way I can watch the video is use Google services, YouTube, to watch the video, or I choose not to watch the video. And that simply was not an option in some of the work cases I had. So I gave up. Google has become too big. You cannot cannot avoid it anymore. It is everywhere.
Petri: A related question, is it actually possible to browse the web even by refusing all the cookies, refusing all these trackers? I think technically that’s possible, but is it like that you’re just reading basically text files, which are just garbage?
Mikko: You can do it. Nobody really does it, but it is doable. Sure. There’s so many ways of tracking you. If you couldn’t reload any other content than basic text to do it, which pretty much nobody does. If you want to find a balance of what makes sense, like where’s the balance that you can actually protect your privacy at the basic level, but still use all the good resources we have online we have to accept some level of tracking. There’s no turning back anymore. We did have a time. We did have a chance of monetising the online services, which would not have involved any kind of tracking but that’s too late now. If you remember when first web browsers became common, like Netscape 1.0n made its breakthrough and suddenly everybody started browsing the web.
Petri: Those were the good times!
Mikko: Absolutely the best times!
I remember the mystery in the early days to me was how are we going to pay for all of this? Because when Gopher was going away and we got HTTP and it was so easy to use. We had graphical user interfaces. We had images. You could click on links.
I realised that this is going to be huge. Everybody will be using this and we will have so many services online. We will have websites with information with news, with weather reports, maybe one day we will have, I don’t know, movies on the Internet. That’s what I thought around 1994/1995. But then, I realised that hold on if you’re going to have all these, valuable services online how exactly are we going to pay for them? For example, newspapers or TV channels are not going to move their services from the current business model to the Web, if there’s no way for them to get paid. I was thinking about this and I came to the conclusion that surely Netscape and other browser manufacturers will integrate a payment button into the interface.
Like you go to read a piece of news and there’s a popup say, hi, do you want to read this? This cost you two cents and there’s a button and you click the button and you pay two cents and it somehow deduct it from your credit card or some online payment system. And then you get to read the thing. I was imagining micropayments. Obviously, this is the way it’s going to be.
There will be micropayments built in the browser and we will pay for content as we need, as we wish. And now it’s 2021 and we still don’t have the micropayment button in browsers.
Petri: 404 instead of 402!
Mikko: Yeah. I mean, you’re right. There is a protocol for that. We could. It’s all in theory there. And even the rise of electric currencies or virtual currencies and blockchain solutions, even that hasn’t made this reality. Nowadays, the closest we have to that is the Brave browser, which has the BAT currency payments built in.
But that’s not in Chrome or in Safari, which is what everybody’s using. So, instead of paying for content with money, the history made this weird turn and we ended up into this world where we are living today, where we pay for content with privacy. We don’t pay for content with money. We pay for content with privacy.
If I want to watch cat videos on YouTube, I can’t pay money for that. I have to let Google to profile me, build dossiers of me and what kind of videos I watch and what else am I doing elsewhere on the Web. Who is my friend and who is my enemy? And then sell that information, sell that profile, sell that dossier to advertisers or in extreme cases to sell it for election campaigns. They can use that to target people who vote. We were close. We could have chosen a different future. But we failed to do it and it’s too late.
Petri: Was it really an option in the early days or was it just the laziness of the people and it’s too difficult to pay for everything?
Mikko: I totally think it was an option. I think we just failed to capitalise on that. There were some early attempts, DigiCash, for example, in the early 1990s was trying to get this off the ground. One of the problems back then was that there were so much opposition from banks and credit card companies, which hated the idea early on, but clearly users were taking all these brand new technology into use for the first time.
And if part of the onboarding process would have been to include your payment information so you can pay for the content online I think people would have done it. It wasn’t simple to build the current infrastructure where all this profiling is being done and turned into money and nobody would have believed how much money there is in this online profiling business.
Nowadays, when you look at the revenues of Google and the likes of them it is a massively large amount of money, which is being done with this profiling today.
Petri: You mentioned somewhere that our generation will be remembered for what did we did: we killed the privacy.
Mikko: Yeah, we did. We were given a free and open Internet. Like you and me, Petri. We were given a free and open Internet. That’s what we got. And the question is, what kind of an Internet are we leaving for the future generations? Will it still be free? Will it still be open? And it doesn’t look very good.
The biggest innovations of our time, the Internet and the mobile phone and all these digitalisation revolution, have given us so much good and so much bad. I believe the Internet is the best and the worst innovation of our time.
Petri: I think we may have a second chance. That’s what some call the web 3.0, the decentralised world. Many of these people who are building it now are from the generation of our age, who experienced the open source movement and the early open Internet as well, because the protocols are back and now they’re happening in cryptos.
There’s still some hope. But maybe that’s just the pendulum going from the centralised to decentralised. Do you have any insights on the decentralisation move or trend? Because certainly, it looks like that you can trust anybody with your own data because it will be leaked. It’s just a matter when it’s not if it’s going to be leaked. We need to keep very tightly to our private keys, or how does it work?
Mikko: I think most of the users online are lazy and they will go through the path of least resistance and use the services that they know and are used to using. Since users have been online on Facebook for 15 years now, I think they will be online on Facebook forever, regardless of new innovations we see happening.
If there will be web 3.0, it is on the shoulders of the next generation. They are the ones that have to build it. They are the ones that have to start using it instead of the old services being built by the gorillas of the Silicon Valley. I do believe there is a real and important innovation in the space of the centralised systems and also in the space of blockchain.
And I know blockchain has a really varied reputation. Some people believe in blockchain solutions like religion and others are certain that any project which involves anything to do with blockchain is just a scam. I think the truth is somewhere in the middle. I do believe that the innovation of modern blockchain, especially the blockchain as described by Satoshi Nakamoto in 2008, that is one of the big innovations of our time.
I know how to detect, how to tell, when an innovation is big and important. An innovation is a major innovation when you explain the innovation to someone else and they are like, huh, is that it? That’s pretty obvious. That’s exactly what blockchain was. It’s just a list of transactions built so that every transaction is unchangeable forever and public forever.
That’s it. That’s the innovation. You can say it in one phrase. When you explain it, people are like, huh. Well, that’s pretty obvious. Well, yes, it is pretty obvious now that it’s been invented, but it wasn’t obvious before it was invented. This is how you can tell that it’s a big innovation when once someone invented it’s obvious, but it wasn’t before.
The solutions that you can build with transaction lists, which are public and unchangeable forever are so much bigger than just financial services. There are so many other things we can build with these things, with blockchain based solutions, which we still have to innovate, but the basic building block is there. I’d like to believe that the future is decentralised.
Petri: What’s your take on nifties or NFTs?
Mikko: It’s really, really interesting, but it’s not quite there, yet. We’re missing some piece of the puzzle and I can’t articulate what it is. But those of you who’ve played any games where you collect things, you know how valuable those things become, even though it’s completely virtual.
Even if there’s no real money payment involved at all. If you play some RPG and you finally managed to collect something, to build a really rare sword, and you know that in the whole global game, there’s only like three of these sword and you have one that’s really valuable. In fact, if you could, you probably would pay real money for a sword like that. When you combine that mindset and the collectibility…the fact that we like to collect things and hoard things it’s built into us when you combine that with math, which can prove that you are the only owner of a digital good I do believe there’s something there. But it’s probably still a couple of years into the future until this really makes the connection. Then we have another problem to solve, which applies to almost all blockchain solutions, which means it applies to almost all NFT solutions, which is the impact on environment.
Petri: Indeed. But for the environment part I have been thinking also that it’s easy to save the cost of electricity and that’s obviously there. But the other question is that, what is it replacing? What does it take to actually have the physical? Maybe not in the games, but if you’re doing physical art, and you have to get all those resources.
There’s a lot of logistics involved. Maybe you need to heat the buildings to have the galleries and people are doing traveling to get there. Then they are shipping those things. These are not so easy to see. My hunch feeling is that probably these are actually more because when it’s digital there’re no atoms involved. When you have atoms, you have to transport them and, use a lot of energy to move them around or manipulate them.
Mikko: I have two points about an environmental impact of technology. Especially, about mining and all that. The first thing is practical, which is traditional mining for proof of work involved in blockchain solutions. It’s pretty obvious that the one with the cheapest energy wins.
The solution is pretty easy. We just have to tax non-renewable energy a little bit more. So, it’s a little bit more expensive. A tiny amount more expensive than recyclable energy. And every miner will naturally automatically migrate to the renewable sources. Taxation in the short run is the easy solution for the environmental impact.
The long-term impact is more ideological. Every digitalisation idea uses energy and clearly we don’t want to go backwards. We don’t want to steer away from new innovation in technology. Yeah, sure. Watching Netflix movies is bad for the environment, but we still want to do it.
Doing Google searches is bad for the environment, but we don’t want to get rid of Google. Mining for proof of work is bad for the environment, but all of these, I’m confident, can be solved with technology itself. So, steering away from technology, steering away from digitalisation is the wrong answer. In fact, if we want to do anything, we should double the stakes and put more effort into technological advancement because that’s going to be the thing which will save the planet.
Now, there will be an innovation, with technology, which will allow us to reverse global warming one way or another, whether it is directly extracting carbon from the atmosphere and getting rid of it safely or whatever it will be, it will be technology which makes this possible. We don’t want to go back to where we were a hundred years ago.
No, we want to go to where we will be in hundred years in the future. We must not try to limit technology. We must use technology to save the planet.
Petri: I’m just thinking now coming a bit more fun stuff for awhile…
Mikko: You don’t think saving the planet is fun, Petri?
Petri: It is a thrill when you’re building new companies and that’s what I doing basically as a living, building the future. So yeah, it is a lot of fun. I’m just thinking that in order not to just talk about these things, more heavier, deeper topics and wanna have some fun for awhile, because I think it’s a few minutes we’ve been laughing. Well, you just did.
One of your first projects, you forgot something when you needed to demonstrate, and you did something which usually would get people fired. Can you tell what happened to the Saab 9000 Turbo?
Mikko: One of the biggest practical failures of my career, in the very beginning of my career, the very first job I had when I joined F-Secure had nothing to do with security. Early on the company was doing lots of custom projects for clients and I was in charge of a factory automation project for a large Helsinki-based factory. The project was late and overdue and it wasn’t progressing as we want to.
Petri: Just a regular software project, wasn’t it?
Mikko: Yeah, like they always are, but this was my first. I was late and inexperienced and I was very junior at the time. This was my first Windows project as well. They wanted to completely renew the systems they used inside the factory to run on Windows 3.0, which was the latest and greatest at the time.
Petri: No Internet.
Mikko: Obviously, no Internet, yes. 3.0 still didn’t support Internet even with outside drivers. Windows 3.1 then supported Winsock Trumpet, which then changed the world. But the CTO of the company got fed up with the late project. He called me and said, he wants to see a demo. He wants to see where we are. He’s going to invite his group together. He wants me to come over tomorrow and do a demo to show where we are.
I worked very late in the evening to try to get it as done as possible. Then I went to the office early in the morning. Our offices at the time were in Hietalahti. And then I jumped on tram to drive from Hietalahti to Arabianranta to show the demo. And when I get there, I go to the meeting room. They’re all there. The CTO is sitting at the end of the table and I’m 22, I think at the time.
I opened up my bag and I realised that I left the floppy disk with the demo at the office. I can’t show the thing that I worked on for weeks that I worked through the night. Because I forgot the floppy disk in the disk drive, which is at the office. The CTO was furious. He didn’t believe me. He thought I was just buying time.
He was confident I had nothing to show and I was just trying to cancel the meeting and that it’s just a story. So I told him, no, no, no. I do have it. It’s just at the office. So he said, okay, fine. We’ll wait. We’ll sit here in the room and we wait for you to pick the floppy and you come back with it.
And I told him, yeah, sure. I’ll do it, but I don’t have a car. So it’s going to take, I don’t know, an hour and a half for me to drive through the city with the tram. So, he gave me his car keys. I got into his brand new Saab 9000 to go and pick up the floppy. And as soon as I get out of the parking lot. I crashed his car.
Petri: So, within five minutes of going out of the building?
Mikko: Yes, yes. And I remember I told this story to someone and,he was just horrified and he asked me that, Oh my God, how on earth did you ever get another job in software industry again? And I answered him that actually I didn’t because I’m still working at the same company today.
Petri: How did you actually get the floppy?
Mikko: I didn’t crash the car so bad it wasn’t undrivable. It was a fender bender, but trust me it was bad enough.
Petri: Yeah, I can imagine. But usually, if there’s another party, unless you just went to whatever wall, you need to sort it out and that takes time.
Mikko: No, I crashed into a parked car and I left a note and carried on with my fender bender Saab 9000 Turbo.
Petri: Well, those things happen. I guess like the other time you were sort of too eager to do an update on the website.
Mikko: Oh yeah, that was another great example of failures early on. I don’t know if you know this, but F-Secure had one of the first websites in Europe. Definitely, one of the first websites in Finland. This was in April, 1994. And I know these because I set up the first website for the company.
Petri: Was it running on a Netscape server?
Mikko: It was actually running on a Solaris’ custom server at the time. HTTP servers were fairly easy to implement if you had a very small site, which is what we did. I think we had like three pages and a couple of images on the first site. But a fun fact about the same Solaris server, which was also our file server and our email server. If someone would have broken into our website, they could have gained access to our emails as well, which is pretty horrifying to think about, but, hey, that’s the way things were in 1994.
I was maintaining the system partially from the Solaris system itself and partially from my MS-DOS based PC, which was running PC TCP-drivers. And those drivers did not support symbolic links or they did, but they turned symbolic links into hard links. Which basically means if you delete a folder with symbolic links if you do it from the Solaris side, it just deletes the link. If you do it from MS-DOS, it actually follows the link and delete everything underneath the link as well. After we had been running our website for a couple of months, I was doing some cleanup because I had a full hard drive on my MS-DOS computer and I deleted a temporary folder.
It had a soft link to our website, which ended up deleting the whole site. So, I deleted our website and we had no backup. Yeah. I remember going to Risto, that’s Risto Siilasmaa, and explaining to him that, yeah, sorry, Mr. CEO. I’ve deleted our website and we have no backup.
Petri: The e-commerce business is down now!
Mikko: Well, I don’t think we had e-commerce at the time. But it was pretty bad, but, Hey, I’m still working here today!
Petri: Risto is a really forgiving man!
Mikko: Yes, I can’t thank him enough!
Petri: He wrote an excellent book a few years back, and I think that’s one of his principles, isn’t it? That you have to give a try do a lot of things and make some mistakes as well.
Mikko: At all times you have to keep your paranoid optimist thought in order. That’s the way he thinks. And that’s, I think one of the reasons why I’m still employed there today.
Petri: Is there anything else you would …because I really loved Risto’s book and if somebody hasn’t read it, I recommend to read it. It’s at least one of the best books, or maybe even the best book I have read about board work as well and corporate governance. It’s a bit of a thriller as well, and also how to save Nokia and what happened in Nokia as well. So, there’s a lot of things happening in that book. It’s warmly recommended.
Mikko: One of my favourite details in the book is going through the actual practical dealings when Nokia mobile phones was sold to Microsoft. It’s just fascinating to read the descriptions about the really physical armies of lawyers getting together at a hotel in New York where you have board rooms filled with paper contracts stacked meter high and going through of signing every contract and double checking that every patent is mentioned that everything is in order.
Then the board members join and do the actual signing. When you do business exchanges, which mattering in billions of dollars, that’s the way you actually do it in practice. I rarely remember reading about that from anywhere.
Petri: This reminds me of the terms and services. So, have you read them?
Mikko: Okay. Yeah. Well, Sometimes I do. As you know, it takes forever. The fact is even our terms and services are full of godawful things like our F-Secure software includes clauses like even if there is a bug in our code, which deletes all of your data by accident, and you tell us about it, we don’t have to do anything about it.
We don’t have to fix, and you’re in charge of all the costs. And we know people don’t read terms and conditions. We tested this. We set up a free wifi hotspot in downtown London on Piccadilly Circus a couple of years ago called F-Secure free wifi. And, and we got dozens of people signing up for free internet access and accepting our terms and conditions, which were the usual ten pages of legalese, which among other things mentioned that if you use our wifi, you will have to give your firstborn child to F-Secure. And if you don’t have children, then we will take your favourite pet.
Petri: How many pets you have in the office?
Mikko: We did have a discussion that we actually should go and pick up a couple of kids, but I was voted down. We never did any of that, but we would have had the right.
Petri: How do you handle a security crisis if that happens to your company?
Mikko: If it’s the first time I would recommend getting outside help and getting it immediately. In fact, I would recommend getting outside help for both the technical part and the communication part. These are hard to do and they’re hard to do at the same time. It’s also the reason why I recommend companies rehearse this. That companies take the time from their busy schedules to do trial runs being run most likely by an outsider who will run it like a war game.
Here’s the situation, this is what’s happening. What are you doing now? Okay. You did that. Here’s the new situation. Here’s how it affected the situation. What are you doing now? Because that’s the only way to learn about things that will affect the environment when you are inside of a crisis.
I’d like to think I have a lot of experience in working in the middle of information security crises, because I was running our labs through all the massive malware outbreaks of the early 2000s. If you remember 2001 and 2002 and 2003, we regularly saw Love Letter and Blaster and Slammer and SAS are these outbreaks, which started from an initial infection and then within a couple of hours affected the whole world. That meant my phone was ringing at 2:00 AM or 4:00 AM. Then I was working 24 hours trying to put out the fires. When we got the technical fixes in place, then I spent the next hours answering phone calls from CNN and MSNBC and BBC and explaining what just went down.
I think we built pretty good processes and infrastructure into handling big cases. It’s very stressful, but I can’t deny it’s also exciting. You do feel very much alive when the phones are ringing off the hook and the whole world is on fire. And you know that you and your team has the skills and the tools to put down the fire.
Then when you are able to do it, in most extreme cases, you shut down the crucial server used by the attackers and the whole attack stops. It does feel very good. You have the adrenaline flowing in your blood and it’s exciting. But of course, it’s exciting only for a limited, like when you get the fourth 2:00 AM wake up all during the same week it’s less and less exciting and more and more tiresome. I’m glad I lived through the virus years of the early 2000s. I wouldn’t give them up for the world, but I’m also very happy that time is now behind me.
Petri: You once said that security is like Tetris: your successes disappear, but your failures pile up. When everything’s working, you don’t get any recognition. And when obviously things are in red alarm, everybody’s concerned about things. And it’s like what happened to one of the biggest ships a few weeks ago: you are even visible from space.
Where should you start? I think it’s too late when you have a ransomware attack happening and you start to think about, okay, I need to Google someone. Oops, Google doesn’t work.
Mikko: Yeah. That’s why I so wholeheartedly recommend testing your defenses and doing trials and doing rehearsals. And I also recommend penetration tests. One of the best ways to figure out where your vulnerabilities are, is to attack your own network. And if you don’t have the know-how to do it yourself, you can hire an outsider, a good hacker, to hack your systems, and then they will tell you how exactly they got in.
And if you want to test your physical security, they will be able to do that as well. This is something we do quite a bit, both physical penetration testing, like basically trying to walk into companies and see whether we can gain access to data centers or confidential data, or what have you, or hacking the networks of the systems.
The thing there, which is remarkable is that our success rates are very, very high. Even when we do a repeat test, like we hacked into a network, then we tell the company what we did, they fix the shortcomings and then to make sure they fixed everything, they hire us again. Then we break in again maybe finding some new mechanism. But in a way, it’s also good to remember that most attackers are not like penetration testers.
Most attackers are after the low hanging fruit. They’re looking for money. Most attackers are in it for money. Most attackers are not nation states or someone who has a beef with you and wants to make you look bad. Most attackers just want money. Which means if your protections are just a little bit better than the average, then the attackers will go after the easier targets.
You don’t have to have perfect security if everyone else has poor security. This means that when you do a penetration test it’s actually much more closure to testing against a targeted attack. Like an intelligence agency, because they won’t go after an easier target. They have a target and they will go after that target only, which is what we do when we are hired to break into a network. Even if your network is well protected, we’re not going to look for an easier target because we are hired to hack your network and your network only.
Petri: So that gives us a bit of comfort, but the world is a big place, so it’s relative the security and maybe you are the weakest link in some exploits.
Mikko: Then you will find out.
Petri: Eventually, at least.
There’s bit of an anniversary Brain.A. It’s not the first computer virus I think that award goes the Apple users but it’s pretty early on and pretty famous and you made a bit of a world tour as well.
Mikko: Yeah, that’s true. Brain.A makes history as being the first PC virus. That’s important because I mean, PC viruses are still today the biggest problem. That’s where most of the malwares problems today are, and PC problems started 35 years ago. Pretty much, exactly, 35 years ago in 1986.
The thing you’re referring to is the trip I did 10 years ago on the 25th anniversary of Brain.A. Because we had a meeting maybe six months before the 25th anniversary of the first PC virus. Our marketing and PR teams invited me to an internal meeting where they wanted to discuss whether we should do something about the 25th anniversary.
They had ideas like we could have some awareness campaigns to tell people about malware problems. I thought all that sounded really boring. My input into the meeting was that why don’t I just try to go and find the guys who wrote the first PC virus? And if I find them, then I can go and talk to them and ask why did they do it then and how do they feel about it and all that. The reason why I brought this up is that I remembered that there’s an address inside Brain.A virus. Brain.A, the first virus for PCs from 1986 has a text hidden inside of it, which is a street address in the city of Lahore, which is in Pakistan.
Petri: And the simplest thing would be to go to Google Maps and check the address and the knock on the door and say, hey, what would like to have an interview? But that’s 1986 and Google Maps was not available at the time. And I guess that was even before your time in the security business. So, a long time, but what are the odds? What happened next?
Mikko: Yeah, the odds were quite surprising because what I learned was that indeed the same street address in Allama Iqbal Town in Pakistan still twenty-five years later hosted the same guys. The guys, Basit and Amjad, the two guys who wrote the first PC virus. They are still there today, even today, 35 years later because I keep in touch with these guys. They’ve never moved away from the place where they were living back then in 1986, when they wrote the first PC virus where they put the street address inside the virus. When I went to visit them, they were there. They’re still there today.
Petri: In the text, when the virus was printed, it says: “Beware of this VIRUS… Contact us for vaccination.”
Mikko: That’s right. The answer to my biggest question, why did you write this, Basit and Amjad, why did you write the first PC virus? The answer was that they wanted to prove how insecure these new IBM PC computers were because these guys had a background from mainframe computers, which had user accounts and security restrictions. Then comes out the 8086 IBM PC, which has no restrictions. There’s no user accounts, no nothing. And they were horrified. So they proved just how easy it would be for someone to write something like this. And it became the biggest outbreak of its time, spreading all over the world, including computers in every city in Europe.
Petri: But it only spread with floppies.
Mikko: It’s spread at the same speed as, for example, COVID-19 is spreading right now. That’s the speed of people traveling. The only way you can spread a human disease from one country to another, is that someone travels from one country to another. Same thing with Brain.A and all the other early floppy based viruses. It required people to travel. You couldn’t spread these over networks. You couldn’t spread them over BBS systems or modems. You had to physically take a floppy and fly. Yet, Brain.A went worldwide. Eventually, Brain.A was even found from the Antarctica South Pole research stations.
Petri: it didn’t even freeze to death.
Mikko: No, it survived everything.
Petri: Like the Bluetooth stuff that happened in the 2000s when people were running around with their mobile phones infecting people. And that’s like the digital COVID-19, wasn’t it? You needed the close proximity to other people and then the only choice was basically to say yes.
Mikko: That’s true. Just like in order to get COVID-19, you have to be within a couple of meters of someone else. The first Bluetooth viruses for the Nokia Symbian devices, they were the same. You have to be close enough to an infected device with your device to get infected. And I remember when these early Bluetooth viruses were a very real problem, viruses like Cabir and Commwarrior. A very typical reaction from people who heard about the problem was to blame the users: “stupid users, why do you accept the incoming Bluetooth transmission? You could just decline and you would be fine. What an idiot getting infected with these Bluetooth viruses.”
It wasn’t like that at all. The early Bluetooth user interface was very confusing. If you were close enough with your own clean phone to someone who had an infected phone, you couldn’t use your phone. You couldn’t do anything with your phone because the other device would constantly send you over and over and over again this request to accept an incoming file transmission.
If you took your phone from your pocket to make a phone call, you couldn’t. The only way you could do anything with the phone would be to accept the incoming transmission so you could get read off this query. Or the other option, which wasn’t obvious, you could just walk away. You could leave the premises to go far away from the infected device, but that wasn’t obvious at all.
The reason why people got infected with these early Bluetooth viruses was a user interface problem. A UX issue. Finally, in Symbian version three, the user interface was changed and this basically killed the whole Bluetooth problem. And we haven’t seen Bluetooth viruses since.
Petri: In a way I think that history is just repeating itself over and over and over again. It’s just different technology, but the gameplay is the same and it’s getting more sophisticated. You can get CEOs paying some non-existent bills and the cons are just longer and more sophisticated, but the basic principles are more or less the same. Just go through the history and find some good classics and rinse and repeat.
Mikko: We can look at every single data breach or data leak or malware outbreak. When you look at the root cause it’s always the same. It’s always either a technical problem, like an unpatched system or a human problem, like a user opening the wrong attachment or clicking the wrong link. And that’s the two root causes we will always find.
Petri: Till we replace the human interface from there and just let the computers write the code.
Mikko: I can’t wait for that. I do think it’s going to happen. One very good way of understanding the intelligence explosion is to think about programs, which program. Like if you have a program which understands its own code and can rewrite itself, it’s pretty easy to understand how that would very quickly turn into something that you and me couldn’t understand anymore. And which would clearly become better and the performance of this program would get better and better until we couldn’t understand the slightest what it does. This is what we speak about when we speak about intelligence explosion.
Petri: In some small, tiny way this is happening already now with all these AI systems or machine learning systems. But obviously it’s not something where they are self-conscious and can describe exactly what they doing and explain it, and then build a better versions.
Mikko: Even GPT-3 knows already how to program, which is pretty remarkable. Even the basic query interface of GPT-3, where you can like give it a prompt and it continues your prompt, if you speak German to it, it continues in German. If you speak Swedish, it continues in Swedish. If you speak in Finnish dialect, like Savo, it continues in Savo. If you speak Pearl to it, it will continue in Pearl. When I saw this for the first time myself, I was really blown away. You don’t even have to tell it that, Hey, this thing that I’m writing is in English or in Japanese, it just knows. It’s awesome and scary at the same time.
Petri: When can we expect security work like that? Nobody does anything and it probably happens in milliseconds and it’s already over, like in high frequency trading. There was a security threat and it was already analysed and neutralised.
Mikko: Security software has been at the front of AI and machine learning for quite a while. We started our first machine learning project in 2007. So 14 years ago, and today none of the large scale research laboratories could do their work without machine learning. There’s just so much data to be analysed.
So many samples, so much network traffic. We try to put as much effort into machine learning for security purposes as possible. It has been a great success story. The best part is that, maybe a bit surprisingly, we are not seeing the other side, the attackers, using machine learning yet, which is remarkable.
Clearly they could. They could be using machine learning to create malware, which is able to rewrite its code or code to avoid detection or phishing attacks, which would detect what works, what doesn’t and adjust accordingly. But we aren’t seeing that. I guess the reason why it’s not happening yet is that if you have the skills to build machine learning systems, you don’t need to go into life of crime.
You can find a very well-paying job because there’s such a lack of scale in machine learning space today. But obviously, that is only going to help us for a little while. Eventually, using machine learning systems will become so simple any idiot will be able to do it. And then we will start seeing malware using machine learning as well.
Petri: How do you see the future in 5, 10, 15 years? What are the things you excited about and what are the things you not so excited about?
Mikko: Every time I walk the corridors of Slush or some other startup event like that I get filled with this buzz of happiness about how clever the upcoming generations seem to be and how they are thinking about the world differently and how there’s so much innovation still to be done and how the digitalisation revolution is only in the very beginning.
We’ve only seen the very beginning. Unfortunately, we’ve only seen the very beginning of the problems as well. I see a bright future and a future where we are more and more dependent on technology. When technology becomes good enough our societies won’t work without that technology. Digitalisation and the Internet is on its way of becoming mandatory.
It’s not there yet, but it will be in the future. And that is going to be one of the big weak spots of the future. But nevertheless, I’m an optimist and I think future looks great, but we also have huge problems ahead of us.
Petri: It’s kind of crazy to think about if we go back to the 1880s, electricity was just coming. Then in the 1920s, a hundred years ago, thinking electricity and how it was changing the society. You could maybe make an analog, compare to the Internet as well. We are like in the 1920s of electricity.
Mikko: That’s right. That’s a very good comparison in the sense that when technology is good enough, like electric grid is very nice. It’s so nice that today it’s mandatory. No modern society survives without electricity. And if we get an extended power cut, like six months without electricity, nothing works.
The whole society would crumble because we wouldn’t be able to feed ourselves. We wouldn’t be able to heat ourselves. We wouldn’t be able to move. We wouldn’t be able to communicate. And this is what’s about to happen with Internet connectivity. That’s how crucial it will be. We’re not there yet.
And right now it might sound a bit far fetched that a cut on Internet connectivity would crumble our societies, but that’s, what’s going to happen. That’s how mandatory it will be in 10, 20, 30 years. And in fact, it’s going to be so mandatory that eventually it’s going to work the other way around because today when power goes out, obviously Internet goes out as well. Eventually, when Internet goes out, it’s going to cut power as well.
Petri: If it’s smart, it’s vulnerable.
Mikko: That’s the Hyppönen Law and it’s a very pessimistic law, but it’s also very true.
Petri: What is your favourite word?
Mikko: My favourite word is hack. Hacking works. Hacking saves the world and hacking is also one of the biggest threats to the world. When I said earlier that the Internet is one of the best and worst things during our time, this is exactly what it means. But, I’m often asking if I’m a hacker myself and I guess I am, but I don’t really portray myself as a one because I know the word comes with heavy connotations and some people automatically assume that hacker means a criminal, which is not true. We have good hackers and bad hackers, and if I’m a hacker, I’m a good hacker.
Petri: What is your least favourite word?
Mikko: My least favourite word is complexity. I’m a big fan of simplifying things or simplifying technology or simplifying thoughts. Complexity is the enemy of security. The more complex our systems are, the harder they are to secure. And if that’s true, then it’s pretty obvious what we should be doing.
We should be trying to remove functionality with every new release of every piece of software. And that’s not what we’re doing at all. We are doing exactly the opposite. Every new version of every operating system and every application and every mobile app has more functions, more features, more layers, more protocols, making it harder and harder to secure our systems. So that’s my least favourite word.
Petri: A startup idea for someone: your complexity is my margin. What turns you on creatively, spiritually or emotionally?
Mikko: Sleep is very important for me emotionally and creatively. I’m happy to report I’m a good sleeper and during normal times I travel a lot. I live in different time zones. I always sleep well. And I think that’s my superpower. It’s very important for me.
Petri: What turns you off?
Mikko: Meanness or mean people, mean thoughts. it’s just unnecessary and unneeded and such a turnoff. Yeah, meanness.
Petri: What is your favourite curse word?
Mikko: Oh, that’s easy. That’s perkele! And I think Finnish swear words are very international. I think everybody understands that perkele means what it means.
Petri: What sound or noise do you love?
Mikko: I’ll play it to you. I’m a big nerd for old technology and old games. So it’s the hyperspace sound from Williams’ Stargate from 1982. That’s my favourite sound.
Petri: Wow! What sound or noise do you hate?
Mikko: It’s very simple. It’s the sound of alarm clock. And that goes back to my superpower of sleeping.
Petri: Are you demonstrating that as well?
Mikko: I’m not because I hate the sound.
Petri: What profession, other than your own, would you like to attempt?
Mikko: If my profession today is I’m a security expert, I’d like to try to be a professional game developer. It’s probably not nearly as much fun when you do it professionally. Maybe a hobbyist game developer, maybe that’s something I’ll do when I retire. I used to write games in the 1980s. I even got some of my games published back then on those home computer systems. So yeah, maybe that’s the one.
Petri: What profession would you not like to do?
Mikko: Well, I wouldn’t like to be a priest. That’s pretty much as far as away from me that I could think of.
Petri: Are you sure? You’re like a security priest, aren’t you?
Mikko: I’m not a security priest. Take that back right away!
Petri: If you could be a co-founder of any startup in any era, which one would you choose?
Mikko: If I could choose any era, any company, I would definitely choose 1972 Atari. That’s such a heroic time that changed the world. Atari had a really lousy fate, like many of the early game companies, but during the first 15 years, it must have been like magic. So, yeah, that’s what I would choose: Atari 1972 with Bushnell designing the first video games, the games, which would change the world.
Petri: It must have been a really magical place to work at the time.
Mikko: I recently visited the old Atari headquarters. I have a lot of old Atari games. When you read the manual for the coin-op, the full-sized games, they have at the back page the street address where the game were built. So I actually went there. I was visiting Apple and I had my rental car. I drove 15 minutes from the current Apple headquarters to the address where Atari used to be. It’s now empty. It was for rent. The building is still there. It’s the same building but nobody’s using it at the moment. I just walked around the building like a pilgrimage to see where magic was done all those years ago. I’m happy I did. I got nothing out of it, except I saw where the world was changed so many years ago. I’m not a priest, but, maybe I did get some kind of a mental feeling of togetherness with the feeling they had all those years ago.
Petri: And even Steve Jobs was doing nights sifts there.
Mikko: Even him. Yeah, that’s right. He was working there. I believe he was not that same building. They were probably still some garage back then, but yeah, it all comes together. Doesn’t it?
Petri: Indeed. Small world.
Mikko: It is.
Petri: Any final words for the audience?
Mikko: It’s all going to get better. I think we should be considering ourselves to be very lucky to be alive during these years. The human mankind has been around for 200 000 years. We happen to be alive during these defining years when we stopped living part of our lives in the real world and started leading part of our lives in the online world. And that will be the norm forever. This change is happening right now and we get to see it, so, exciting times!