There are some advantages to being around “forever,” as Mikko Hypponen, F-Secure’s Chief Research Officer, joked he has been at the beginning of his talk on “Computer Security In The Past, Present and Future” for Mozilla’s Monthly Speaker Series.
Like any decent joke, this quip had a grain of truth in it.
The man Vanity Fair called “The Code Warrior” was born the same year the internet was invented. He joined F-Secure in 1991, before it was even called F-Secure, when only about one in five American homes had a computer and connecting to the internet was something only a tiny percentage of the population even thought about. So when Jeff Bryner, Mozilla’s Director of Enterprise Information Security, noted in his introduction to the talk that,”Mikko has been involved in computer security as long as computer security has been an industry,” that’s not just hyperbole.
Part of Mikko’s job is to speculate on how the threat landscape will evolve, and he does this with a nearly unparalleled sense of the history of computer security. And in his talk at Mozilla, the curator of the The Malware Museum did his best to shrink 27 years of virus hunting, including his adventure tracking down the makers of the first PC virus, into the first third of a one-hour talk.
You obviously need to watch the whole thing for all the fantastic details and anecdotes Mikko has accumulated, but here are five things that stuck out to me, as we prepare for a future where just about everything will be connected to the internet.
1. It took a while before criminals figured out how to make money online.
Mikko notes that first attempt at ransomware actually came out in 1989 — “The AIDS Information Trojan.” And it bore a remarkable resemblance to 2016’s “Petya” ransomware. After the author AIDS was caught, hobbyists continued to dominate malware creation for more than a decade. It wasn’t until 2003 with Fizzer, the first cooperation between email worm authors and spammers, that online crooks figured out how to monetize malware. And they’ve only been getting better at it ever since.
2. Windows updates used to be ridiculous.
Imagine it’s 2003. You’ve been hit by an email worm like Blaster.
You get an error message that tells you to save your work your Windows XP is going to reboot in 60 seconds. There’s nothing you can do. It just reboots.
“You continue working,” Mikko explained, ” and it’s going to happen again. You still have the vulnerability. After an hour, it happens again. A half an hour, again. And you’re going to see it more and more frequently as there are more and more infected machines scanning more and more. So eventually you’re going to go and ask for help… And someone is going to tell you that there’s a vulnerability and you have to patch it. Now this is 2003. There is no Windows Update. So the way you update is you take your browser… and you would manually surf to Microsoft.com. Search for the update. You find the update. And then you hit the button to click. Let’s download it to your desktop as you would… This is how people were updating their systems at the time. But while you’re downloading, you’re still vulnerable. So it’s more than likely while you’re downloading– it’s going to take a while to download — you will get the same error message as you saw earlier. And now you have two counters on your screen. One is counting down ’60 seconds before you reboot.’ One is counting up how finished your download is. A very, very frustrating game being player by thousands and thousands of users around the world.”
It was comical. But Microsoft users didn’t find it funny, Mikko noted. This led to a major “turning point” when the maker of the world’s most popular OS decided to backtrack and get serious about security.
3. Stuxnet changed everything.
Another turning point Mikko discussed will likely go down in history books as the moment the cyber arms race truly began. “We speak about time before Stuxnet,” he said. “And we speak about time after Stuxnet. That’s how big of a deal it was.” After recommending the documentary Zero Days that chronicles this inflection point, Mikko described the anxiety of the summer 2010, how the discovery of this massive piece of malware united researchers around the world and the unlikely piece of “open source intelligence” helped them discover the target of a attack that required such massive resources that it only could have been funded by a government.
4. The IoT revolution is going to happen whether we like it or not.
“Lights are on in this room because of computer,” Mikko said. “There’s water coming out of taps because of computers.” This is why Mikko says that the job of the cyber security industry is not to secure computers, but to secure society. The Internet of Things revolution largely began in factories as automation systems in the 1960s and now it’s coming to our homes — even if you refuse to buy connected appliances.
Right now we have a choice between “smart” devices and “traditional” devices. “But in ten years, even the traditional stuff — even the ‘stupid’ stuff — will go online,” Mikko said. “And you won’t even know it.”
As a result of this, we will have to lie to our toasters. Watch the video to find out why.
5. He never imagined it would be like this.
“If someone would have told me that eventually we won’t be fighting teenage kids who are writing viruses for fun, but we will be fighting organized crime, which make millions with their malware attacks, and we will be fighting foreign intelligence agencies and militaries and we will be fighting terrorists and extremists, I would not have believed it,” Mikko said. “That would have sounded like science fiction. But this is exactly what has happened. This is exactly the world we live in today.”
Apparently, if you stick around forever, you never know what you’ll see.