Skip to content

Trending tags

Episode 64| 2021, 2022 and beyond – Part 2

Adam Pilkey

24.01.22 43 min. read

With 2021 now behind us, it’s time to revisit the highs and lows of the past 12 months, and look ahead to what we can expect in the months ahead. To mark the year’s end, we recorded a special two-part episode of Cyber Security Sauna. F-Secure’s Chief Research Officer Mikko Hypponen, Security Consultant Adriana Verhagen, and AI researcher Andy Patel join episode 64 to share their key takeaways from 2021, and thoughts on important issues we’ll face in 2022 and beyond. In this episode: regulating social media networks, cloudification, AI-powered attacks, security in an age of unlimited computing power, NFTs, and more.

Listen, or read on for the transcript. And don’t forget to subscribe, rate and review!

Welcome to Part II of a special two-part episode of Cyber Security Sauna. In our last episode, we were joined by AI researcher Andy Patel, security consultant Adriana Verhagen, and F-Secure’s Chief Research Officer, Mikko Hypponen, to hear their thoughts on significant moments and trends in 2021. Now our conversation turns to the year ahead where we’ll hear about their expectations, hopes, and fears for 2022 and beyond.

Janne:  So with 2021 now safely behind us, it’s time to start to think about what sort of trends emerged from that year that we think are likely to continue in 2022. Predicting the future is always very hard, so I’m not going to ask you guys to do that, but what are some of the things you think we’re going to continue to see in 2022?

Mikko Hypponen, Adriana Verhagen, Andy Patel

Andy: I think that there’s going to be more people talking about the problems we have with social networks.

So what sort of conversation are you looking for?

Andy: Conversation about regulations regarding disinformation, trolling, online harassment on social networks. I know that some countries have started talking about these things, different aspects of things.

The US hasn’t talked much about this stuff at all. I think the US needs to start talking about it, actually, because that’s where the companies are.

What do you think the conversation’s going to look like? Is it going to be… GDPR did a lot in this area as well, so is it going to be regulation, or local legislation, or what do you think it’s going to be like?

Andy: On the European side, it’s going to be local. I mean, Germany already has regulations regarding social networks, that they can fine them if certain types of content appear on there. And so social networks actually treat the German use case differently. Twitter even has fields in the API that are relevant, I think, only really to Germany and other countries that have those kind of agreements.

It might be wise for the EU to cover this as a whole, across the whole of all of the EU countries, to approach it in the same way that Germany has, to ban certain types of content, and to hold social networks accountable for online harassment, and spreading disinformation, and trolling, and all the other stuff that is going on.

Perhaps they should approach it the same way that they’re approaching blanket regulations for AI, which they’ve been doing this year.

Mikko: Sounds like something which is a good idea on paper, and very hard to get right when you actually regulate it. Which we already saw, at least in the draft of the AI regulation, the idea that any company using machine learning-based technologies must be able to show how the decisions were actually made. Sounds like an impossible task, and basically restricting companies from using this kind of technology for the benefit of all.

It’s going to be hard to get right for social networks as well. If you’re going to ban content, how to define it right so it’s not going to be misused?

Andy: Yeah. And as with the AI regulation work that’s been going on, the drafting of those regulations has taken input from a lot of experts and companies, and so I think that’s how it should work, in a traditional EU manner that these things are drafted and then a lot of feedback and discussion happens about the nuances of these laws.

And with the AI regulations, they actually structured it such that there’s the main body of the document and then appendices which can be changed more easily to cover change in the landscape as we move forward.

Well, with the AI regulation, there’s been some concerns that it’s going to stifle innovation, but actually those same concerns were already voiced in GDPR conversations. So do you think we’ve learned anything since then, and we’re going to be now better positioned to take those concerns into account? Or do you think we still run the risk of stifling innovation when we introduce new regulation?

Andy: It really does depend on the final wording of those regulations. There are things in there right now that need to be changed, like what Mikko pointed out, about the fact that we need to be able to explain how decisions are made and we need to be able to show that every piece of data in the training set was vetted for bias and inaccuracy and stuff like that, which is…these tasks are impossible. The wording needs to be such that it allows for normal use cases.

But I think that as long as these high-risk applications are well defined, it shouldn’t stifle innovation. Because really, those are the ones where the regulations apply the most.

Mikko: But the concern is very valid. Teaching machines with biased data will of course lead to biased decisions, and it’s a really valid concern, and it’s a really hard thing to get right.

It’s a huge problem. We need massive amounts of data when we want to teach machines, and most of the data we have is originally biased, or it gets biased as we collect it. And we humans are biased ourselves, so it’s…I don’t really know how to solve this, but the concern is very valid.

Andy: Yeah. And when you look at the machine learning that’s already in use in the world, when we think about recommenders for social networks, those things are being manipulated by inauthentic behavior all the time and they’re learning from it. And so that bias exists on a day-to-day basis in the models that are trained on the data that’s fed into social networks.

Mikko: Yeah. And when, for example, law enforcement uses advanced systems to figure out where there’s likelihood of crime to appear and who are the people likely to engage in criminal activities in the future, even though they haven’t done it yet, we suspect they will do it in the future, sort of like pre-crime idea, surprisingly, this is not science fiction. This already happens all the time around the world.

Of course, bias has a huge point in all of those discussions, like who do we suspect to be future criminals? You’re under arrest for a future murder.

Andy: Minority Report.

Yeah, because you look like one of our past murderers.

Mikko: Yeah.

What about you, Adriana? What sort of things do you think are going to happen in the regulation space?

Adriana: I think that what we’re going to see is that there’s a growing need for threat-based pentesting and exercises, and these are being driven by the rollout of DORA and TIBER. So these regulations, they, in their own way, will stimulate those type of exercises.

So when we talk about threat-based pentesting, we’re really emphasizing having the attacker’s perspective being included in the exercises that organizations perform, and this is a bit different than what has been going on before, which is traditional pentesting, which doesn’t have to be attacker oriented. It could just be for these generic weaknesses that we found. A common framework that pentesters use is called OWASP. And with that shift, I think what will be interesting is that companies will include their attacker perspective more in their defenses as well.

And we’ll see a shift from the narrative, as well. The security narrative is going to change from being one of “We’re having vulnerabilities” to “We have an attack path that could lead to a significant business impact.” And we’re already seeing a bit of that, but I think that with these regulatory changes, we’ll see more of that.

In order for this to be a success as well, we’ll need the maturing of cyber security processes in organizations. And cybersecurity has been a topic now for already a while and processes are not ad hoc anymore, so they’re becoming more mature, and they’re collecting better data. And through that maturing, we can also see that cyber security risk management will become more quantified. Because in order for risk management to be quantified, it needs to have really good data.

And to tie that back to the regulatory changes, is that, until now it’s been hard to do cyber risk quantification because we just don’t have enough data on the impact associated with cyber risk. And these new regulations, also new regulations in the US, are forcing companies to be more public about the impact.

So when you tie this all together, we will see that more companies will become more mature about their cybersecurity processes, but also they will start using cyber risk quantification to drive their investment decisions. And I think that that’s a really positive trend.

One of the things I think we noticed in 2021 was with the pandemic pushing companies into the cloud. Remote working is certainly here to stay, so maybe that was an unintended side effect of an unintended side effect. What does that increasingly cloudified corporate environment look for, for an attacker? What are they going to do differently in the future?

Andy: Phishing. If we’re in a world that Mikko has spoken about, where we’re on terminals, dumb terminals, then one of the obvious ways of attacking people would be to phish for their credentials.

Yeah. If you can’t break in, you have to get somebody’s key.

Andy: Right.

Mikko: Yeah. Well, we go through the easiest way in, and in the future, the easiest way in will continue to be the users. And I’m not blaming the users here. I don’t like the phrasing we often see, that the user is the weakest link. I think that’s not really fair.

We’re putting users into an impossible position. It’s not stupid users, it’s stupid systems. And if there’s a link on the screen the user must not click, then the link really shouldn’t be on the screen to begin with, and we should put the responsibility to where it belongs. And it doesn’t belong to the user. But it is a hard problem to solve, and this will only become a bigger and bigger issue in the long run.

And when you think about the world where we are headed, looking at how technology has changed over the last decades and how it will continue, I think, in the future decades, computing power has increased, storage space has increased, memory has increased, connectivity, bandwidth has increased, prices have plummeted.

All right, let’s assume for a second, this continues. What will the world look like in the end? Well, it’s going to look like that everybody has unlimited computing at their fingertips for free. And when I say unlimited, I mean imagine that you have access to the biggest possible AWS cluster with unlimited processing power, unlimited RAM, unlimited storage, unlimited bandwidth, and it costs nothing, or it costs pennies, so practically free.

That’s the world where we’re headed, and I think even though this might be a pipe dream or might be really far away in the future, I think it’s an interesting idea to think about, especially from the point of view of builders and developers and coders.

And the question then becomes, if you would have no limits, what would you build? If there’s no practical limits for processing power or memory or any of that, what kind of solutions would you be building?

And that’s a sort of liberating thought, and I do think that’s sort of the direction where we’re headed, even though we might not be exactly there in the end. But looking at the last 30 years, this is the direction where we are headed. I think it’s going to continue.

It’s an interesting vision. Are you not worried about sort of what the attacks in that world are going to look like?

Mikko: Yeah. Bad people will not be going away, that’s for sure. And there will be crime, and since crime has changed to this new world where geography no longer matters, it’s definitely going to be there.

When I was writing my book last year, I did a study about bank robberies. Did you know that in Finland, my home country of Finland, in 1991, 30 years ago, we had 114 bank robberies? Like, robberies where banks went into banks with guns to steal cash? And the last time we had a bank robbery was in 2005. We haven’t had a single one since then because there’s no banks anymore and the few banks we have don’t have cash.

We do have plenty of online bank robberies, banking Trojans credit, card theft, hacks into cryptocurrency exchanges, and phishing of credentials for financial systems. So real world bank robberies have disappeared. Online bank robberies have exploded.

And this is the way of the future as well. Crime doesn’t go away. It just changes shape. And it will continue changing shape in the future as well.

Andy: With regards to having unlimited compute in the future, that will mean that all these cryptocurrencies will go away.

Well, that’s what I was thinking. I’m going to do crypto mining in that world.

Andy: Well, yeah. I mean, it’ll sort of invalidate that, won’t it? Because…

Mikko: Well, if you look at Bitcoin in particular, it automatically adjusts for difficulty, so if you have a huge amount of computing power, it would be hugely difficult to solve a single block. So they, or he, Mr. Satoshi, has already thought about this.

Andy: But if everyone has access to very large amounts of compute, then everyone could be mining.

Mikko: As long as it’s not literally unlimited, it would self-adjust. This has been taken into account, which is interesting. Another interesting thing about the original Bitcoin paper is that it already takes into account quantum computing. Bitcoin algorithms are quantum safe if you use unique keys for every single new transaction. Which is remarkable, considering that this is from 2008.

So it’s sort of like aliens landed and left this mysterious paper and disappeared and we’re still wondering how the hell, who the hell, what the hell? What is this?

Yeah. Plus all the Bitcoin will have been mined in a couple of years anyway, so…

Mikko: No, no. That’s going to be another a hundred years before we get the last one. But yeah. We’re actually very close to 90 percent of all the Bitcoins being mined, so it becomes slower over time.

Ah, okay. I didn’t know that.

Mikko: But the vast majority of them have been mined already, and big part of that has been lost forever as well, which is interesting. And whenever we speak about unlimited computing power as well as Bitcoin and Blockchain, we very quickly enter into discussion about the planet and global warming and how is this good for the environment. And of course, none of this is good for the environment.

But I do believe that the solution for global warming and climate change cannot be restricting the use of technology. I think it’s exactly the opposite. I think using technology, using our creative power will be the solution to the climate crisis.

Trying to make people use technology less will not solve this, but I think we will be able to innovate ourselves out of this problem. We will come up with new technologies which will enable us to remove CO2 from the atmosphere somehow. We won’t be able to do that without technology, without innovation.

So I’m not a believer in a world where we will be able to solve this problem by stopping using technology. I think it’s going to be exactly the other way around.

Yeah. I mean, a lot of these technology is being developed and used in places where you have the resources to do something to make it sustainable.

Mikko: Andy disagrees.

Andy: No, I was just…I just wanted to say that imagine if all the compute that was currently being used to support Bitcoin were used to do protein folding or training of AI models.

Mikko: I’d love that kind of a world. In fact, maybe we could even combine this somehow where maybe… I mean, I actually think that are some projects which I’ve tried this already, like use proof of work algorithms like Bitcoin does, but doesn’t waste the computing power, actually tries to do something practical with the computing power. But I haven’t seen much success in that area.

But we have to remember these are very early days. All these Blockchain, Bitcoin, NFT projects we hear about today are really problematic and really weird and it’s hard to understand, but it’s very early days.

I saw a really eye-opening video clip a couple of months ago, which was Marc Andreessen, the original main developer of the Netscape browser, being interviewed on US primetime TV when they had just released Netscape 1.0. So one of the first, well, the first mainstream web browser is here. Now you can browse the web.

And the interviewer is asking Mark Andreessen, “Okay, great. You have a web browser. What can you do with it? What’s there to do with this great new web browser? What do you have there in the web?”

And he has a really hard time coming up with examples. “Well, you can have all kinds of things in the web.” “Like what kind of things?” “Well, all kinds.” “Well, you know, but what?” “Well, I don’t know. You can have like, systems, and information.”

And he had no practical examples. I mean, it would be impossible for anybody to then realize that eventually you would have news and content and weather reports and, I don’t know, Salesforce and GitHub on the web. All of those became a reality. None of us could see that back then.

And this is how I feel about the level of innovation we have right now around these new smart contracts and programmable money technologies. Very, very early days. We have a hard time coming up with practical examples on what we could really do with these things. But I think it’s simply because we are so early. There will be real clever usages for these technologies when we figure them out.

Adriana: To add towards this vision of unlimited computing power, I’m just wondering, what would be the added benefit? Would that actually help to solve world hunger? Would it help to make the world more of an equal place? Can we actually solve these important problems with that computing power?

I’m not sure if that vision and that outlook on that computing power is really that important. I feel that that is more like a material problem whereas we, I feel, need to become better at thinking about the right problems that we need to solve. Are we focusing on the right problems? And then are we using the technology that is currently available to solve those problems?

Mikko: Good question. Well, if you think about just connectivity – forget computing and storage, just think about connectivity – I can see a world where we will have a global, the whole planet-reaching network, for free. So internet becomes like air. Internet connectivity is everywhere. It’s free or practically free, massively fast, and available everywhere around the planet like air. This is doable, can be done during our lifetime. With satellite connectivity and with prices plummeting, eventually it’s going to be like that.

That’s going to have an effect on world hunger, on developing nations, because they will have the same thing as the rest of the world. When connectivity is unlimited and free, it will help with these problems as well. That’s the way I’d like to think about it. I don’t see them making the problem worse. I see it making the problem hopefully easier to solve. It’s going to have democracy-increasing properties.

I guess you could also find downsides. I mean, I’m sure there will be more criminals who could reach victims in the rich countries coming from poor countries with increased connectivity, but I’m sure the upsides will be better than the downsides.

Andy: I do a lot of work with Twitter data analysis and there’s a finite size of graph that I can work with on this computer, and if I want to do something bigger, then I have to go hire an AWS cluster, or something like that. So I mean, if I were able to work with a larger data set, I would be able to do more with regards to looking at things like misinformation or online harassment. That already makes the world a better place.

The second thing would be simulations, so creating simulations, which do sometimes require a lot of compute, that would allow us to approximate things like weather forecasting, or where people will be at certain times such that there is a concentration of people that might catch COVID, these sorts of things.

All these things can be done by simulating. I actually have a simulation that I’m developing here, more of a sort of toy simulation. It’s like an alien world where there are organisms living and adapting to different conditions and stuff. But my computer blows steam when I’m running it.

So I mean, if I could get a Colab type of notebook that doesn’t shut down after a certain amount of quota or time spent that I could just run something like this on for free, I’d be laughing. I mean, there’s so much stuff I could myself do with large amounts of free compute.

Mikko: Do the aliens inside your simulation know that they are inside a simulation?

That’s meta…Maybe I should give my unlimited computing to you, because frankly, I don’t know what I’d do with unlimited computing power, but I don’t think it’s going to be anything productive and it’s certainly not going to solve any of humanity’s big problems.

Mikko: You would run Crysis.

I probably would. I have a specific question, though, about the sort of cloudification thing that sparked this whole conversation. I feel that for a lot of companies the move to cloud due to the pandemic was largely unplanned, so I’m not 100 percent convinced that their sort of response and mitigation strategies followed that. Do you guys think that that’s correct? And if so, what should companies be doing now to sort of prepare for the cyber fallout that’s going to follow?

Adriana: Yeah, I think that the pandemic definitely sped up digitalization for a lot of organizations in a way that was unplanned, even for product companies. Let’s just take the example of Zoom. Suddenly it was being massively used, and they increased their computing power so that they could have a lot more users, but they didn’t really think about security when they had that scaling.

So suddenly there were a lot of issues with security, like people suddenly having a random person joining their call, or kids using Zoom for school and having somebody appear in the class that’s naked on the video, and that is very disturbing. Zoom has made a lot of effort to, of course, fix that and invested a lot in security.

And now if we think about not just Zoom, but a broader set of organizations, there is definitely an attack surface which is unmanaged, which has been created because of the pandemic and because of the shift to home working and bring your own devices.

So organizations really need to be thinking about what is this change that has been taking place in their IT and actually engage with their IT and their organization to understand what have they done. What are the configurations that they’ve changed to facilitate suddenly developers accessing a certain type of application across the internet instead of just on-prem?

And I think if an organization wants to make sure that they’re in the right place, they need to start looking at that and spend some money in identifying all these new attack surfaces that they’ve created due to the pandemic and then they need to start thinking, “Do we want to keep this setup? Do we want to keep the way that we’ve changed our architecture to facilitate home working, or not?”

And if they want to change it, then we’re probably going to see also more people moving to a zero trust architecture, where we’re having the device being seen as an untrusted device no matter where they are.

Fair enough. One of the things I wanted to ask you guys about is AI powered attacks. Everybody else is talking about them like they’re already happening or certainly will be in the near future. But Andy, in 2021 I saw your byline where you were saying that AI powered attacks don’t exist. What’s that all about?

Andy: Well, they don’t.

Please talk us through that.

Andy: Yeah. There’s a lot of people that plainly state that AI cyber attacks are already happening, and there’s no evidence whatsoever that that’s the case. And I think it really comes from a lack of understanding of current capabilities of AI, or machine learning. People think that AI is already somewhat sentient and able to make creative decisions and act like humans, and other people attribute essentially basic scripting to AI.

So if someone wrote a Python script that executes a series of actions on a computer instead of doing them one at a time themselves, they would call that AI. And these two things are being attributed to AI-based cyber attacks, which of course they aren’t. They aren’t AI-based cyber attacks.

No, no.

Andy: So we did some research last year where we created a reinforcement learning agent and trained it to do privilege escalation on a Windows system. That particular agent can perform privilege escalation with a number of different methods based on the configuration of the system that it’s attacking, but it was trained against specific attackable configurations of Windows 10, I think, specific mechanisms.

So you create a payload, you upload it to the system you attack, you replace a DLL, you start and stop a service, things like that. And then so it’s able to perform privilege escalation based on this methodology really well, but it cannot do anything other than that. It can’t perform the next steps, the lateral movement steps, or it’s not an AI that’s intelligent enough to figure out its target, go look them up on LinkedIn, craft a specific spear phishing email with a payload, get into that person’s system.

So it’s just one small step in an attack chain, but it proves that you can train an AI to do a cyber attack, but essentially all we did was configure the logic with the data, which is what machine learning is. Instead of writing a script that queries various parts of the Windows system and then does the appropriate actions, which would be the other way of creating that program. And it’s a simple enough program where you could potentially do that.

However, if you wanted to then include other steps, you could actually train a similar mechanism that would be able to follow on from that privilege escalation by performing other actions. So it could do longer chains of attacks. It could look for interesting systems on the network. It could exfiltrate data. It could put back doors onto machines.

But essentially, it’s a way of automating attack steps. We just trained an algorithm to do that instead of hard-coded an algorithm to do that.

And if you wanted to create an AI that’s able to discover novel attacks, new vulnerabilities or things like that, you would need something that we don’t have right now. You would need something, the next paradigm after reinforcement learning.

So that’s not going to happen in 2022?

Andy: No, absolutely not. I mean, that paradigm would require byte-level observations as opposed to observations you can obtain from looking at a list of registries or services running or LS or DIR on Windows, those kind of commands, right? It would need much more fine-grained data, and then it would need to output…

In our case, we actually had it output basically numbers which then corresponded with a whole command line to run. If you wanted to have it assemble a command line, it would have to output the characters to assemble that command line.

So it would have to be a much more complex model, and we don’t have technology to do that right now.

Mikko: And that’s a great example on why we have this misconception that attacks using machine learning are already here. You described research we did around possible ways attackers could be using this technology. So we do this kind of research so we are ready for the real attacks when they do appear, but this kind of research is not an attack by itself. This is research.

And when articles are published about academic research or university research or industry research on this, some people read it as attacks instead of research. And I’ve illustrated this problem. I spoke with a journalist who was convinced that malware-using machine learning is already rampant because he’s read about all this.

I explained with a metaphor that imagine that you go and buy a car, a brand new Volvo, and you brag to your neighbor about how safe it is. And your neighbor disagrees and tells you that this car crashes more than all the other cars crash, and to prove his point, he shows you videos from YouTube of Volvo crash tests. Which means you’re both right. You have a safe car. And he’s right, Volvos crash more than other cars. But the crashes, these crashes don’t make the car less safe. They make it more safe.

And this is what we are trying to do with research like what Andy was describing. We do research into how AI-based attacks could use privileged escalation so we, we understand better how these attacks would look like when they are to happen. This is not a real attack. This is crash tests.

And this is one of the reasons why there’s this disconnect about what reality looks like and what many people believe is happening already, which isn’t.

Andy: I think a lot of people think that AI is already Skynet. They just don’t understand at all that AI is essentially fitting data points to a curve using some optimization technique. That’s all it is. Every case.

Mikko: People watch too much movies and television.

Yeah. That’s a lot less exciting than Skynet.

Andy: It is, isn’t it? Yeah.

Also, I don’t know. Maybe it is… In traditional security research, sometimes when there’s a finding or a piece of research being published and there’s a proof of concept, it often takes very, very little time for the criminals to take that proof of concept and weaponize it and start running with it. So maybe that’s what’s skewing the conversation here. Sort of, once something is shown to be possible, we immediately assume that the criminals are going to be all over it immediately.

Mikko: Yeah. But here they have the lack of skill, and it’s hard to find the people who would be willing to do this kind of research for criminal purposes. But as these gangs are becoming richer and richer, we are probably getting closer to the time where they might actually be able to hire the skills they need to do this. And the barriers for entry are becoming lower, so maybe we are headed towards a future where this will be reality. But it’s not reality today, in 2022.

Mikko, you already mentioned programmable money, but where are you on NFTs?

Mikko: Oh, let me ask you… Well, let me ask all of you. Janne, do you have any NFTs?

I do not.

Mikko: Adriana?

Adriana: No.

Mikko: Andy?

Andy: No.

Mikko: Neither do I. So none of us actually have NFTs. We’ve all heard about them.


Mikko: And I think it’s an interesting… Once again, the technology underneath is much more interesting as opposed to what’s actually being done with it today. The idea of these virtual collecting cards or Tamagotchis or Pokemons or whatever you, yeah, funny, but not really the real thing underneath.

I think the real innovation here is artificial scarcity. The idea that we’ve lived a couple of decades now in a world where everything is digital and you can make a perfect copy of everything, and it’s really hard to restrict you from making a perfect copy. If there’s a JPEG image, you can make a copy and it’s going to be the same thing, 100 percent. It’s going to be exactly like the original.

And now with these new technologies, we can actually prove that this is the original and these are copies. You can make as many copies as you want, but this is the original one. And originals have value.

And interestingly, I’ve been thinking about this now, regarding my book. You see, last summer, summer 2021, I met a friend of mine, Peter Newman. He had just wrote his own book and I was sitting next to him and I picked up my iPad and I bought his book as an ebook. So I was sitting right next to the author, I had his brand new book in my hand, and I wanted to get an autograph. But it’s an ebook. So how do you get an autograph to an ebook? Well, you don’t.

So we sort of laughed about it, but I’ve been wondering about it ever since. And now that I have my newest book out, I’ve autographed a lot of people’s physical copies, but again, the same thing boggles my mind. We have this new thing, an ebook, which is very, very popular, and there’s no way for me to sign it.

And I think there might be combination of these two things here. I can sort of imagine a world where the authors could somehow sign copies of their works, whether it’s books or music, or I don’t know, poems. And you could prove that “I was there, he or she signed this for me.” And since this is programmable money, years later, I might be able to sell this autographed version of this piece, maybe it’s a book, maybe it’s a poem, to someone else.

And the original author, the artist, would automatically get a cut of the trade because this is programmable money. This would all work out. And we could take it a step further. Imagine that you’re watching your favorite band. I don’t know what’s Janne’s favorite band, but we’re going to assume it’s Guns N’ Roses.

We can assume that.

Mikko: Okay. Janne is watching Guns N’ Roses at Hartwall Arena in Helsinki and somewhere towards the end of the gig, Axl Rose shouts out to the audience, “Okay, take out your phones. We’re going to sign a song from your Spotify library, which is signed right here during this gig. Only the people in the audience will get this signature today, and it will be forever in your signed song,” which would be cool. Neat.

You could prove that you were there. You have a memory. It has a story. And again, maybe it becomes valuable later on, that this was the last gig they ever did, Axl Rose died a day later. It would be valuable to sell that. And again, well, Axl wouldn’t get a cut because he would be dead, but the rights holders would.

Programmable money built into proof of authorship to artificial scarcity. None of these exists today. People today are speaking about NFTs like Pokemon cards, but the technology would enable really interesting things, which just might make sense in the future. Do I make any sense to you, Adriana?

Adriana: Well, yeah. I think what I’m thinking about when you’re saying is kind of the area of digital rights or just copyright in general, and I think the cases that you’ve brought up like music, or literature, or maybe the arts, that’s where these use cases, it makes sense, right? Because there you have the value that’s being stored in an NFT and it’s traceable back to the source who created it.

And that can be important for people that create art because they want to maintain that ownership and then they want to maintain the ability to collect royalties on that ownership. Because I think that artists, they have at times struggled to maintain that ownership. So if they can actually…

I have a problem with that. My problem is that to me, that seems like these artists want to eat their cake and keep it too. I think if I make a thing, like a tangible thing, I make a cup, I can sell that cup and then make money that way, but I have to give away the cup. Now artists can take that. Like they can… If you take a cool photo, I can sell that photo and make money that way, but I’m giving away my rights to that photo. So with NFTs, sort of me as the photographer, I’m keeping my photo, I’m maintaining all the rights to it, but I’m also selling you, I don’t know, bragging rights to my photo. So am I making any sense here?

Mikko: What do you have against artists, Janne?

I don’t. I’m just saying like…

Mikko: Why do you hate art?

I’m saying people who make tangible things, they don’t have the luxury. Like should I start making NFTs of the cups I’m making or the cars I’m manufacturing or things like that because ultimately, we’re talking about artificial scarcity here and none of the historical examples around artificial scarcity are particularly worthwhile or good. Like limited edition handbags costing ridiculous amounts of money.

Adriana: But what about for people that create music, right? And then their music gets used in other… Like there’s a sample that gets used in another song or something like that. For them, it could be interesting to have that traceability and so they could actually claim royalties, basically.

But there’s a whole industry around that specifically for music.

Adriana: Yeah, I know. I’ve actually worked in that industry and I know how complex it is and I know how broken it is.

Mikko: Oh, this would be the solution. Programmable money is the solution. You can’t break the rules.


Adriana: Exactly.

Mikko: Even if you want to, you couldn’t. And of course, artists here could set the limits of, okay, for this song, you can buy it. If you resell it, we’re going to get fraction of a percent of the resale or we could get 50 percent of the value of the resale. It’s all programmable and we would find out works and what doesn’t.

And because of the decentralized nature of the programmable money, we could get rid of that whole complex, broken, difficult industry.

Mikko: Yeah.

Adriana: Yeah. But the challenge will still be, how do you collect the money? Right? So there is still… I was actually thinking about that.

Mikko: I don’t think that’s the challenge. Collecting the money is, if it’s programmable money, it’s collected automatically. The problem is that you can still make copies which are not original. Again, the song is going to sound exactly the same if you make a copy of it. It’s just not the original one.

So the original one would be valuable. When you resell, that fraction of that sale would go back to the author if that’s the way it’s programmed, but nothing prevents you from making copies of it, which wouldn’t be the original. Just like nothing prevents you from making copies of Mona Lisa, which look the real thing, which are not valuable.

Adriana: And it also prevents fraud because for people that, for example, own a piece of art, then if they think that it’s the real thing, they value it differently than if they think that it’s not the real thing. So assuming you would receive art and you think it’s a real thing, then you’re trying to resell it and then somebody tells you, well, actually it’s a fake, then you’re going to feel really annoyed.

I don’t know. Not me personally because I don’t own any…

Mikko: He hates art.

I don’t hate art, but I don’t own any original paintings, for example. All the paintings I have are sort of recreations of famous paintings or things like that, and they look the same, they’re just as pretty, so they provide that value to me. They’re not the original signed by the author, but I don’t care.

Adriana: Yeah. But for example, for art collection companies that they own digital art, it’s easy to copy it, but they value it because they own the original, because owning the original is always something a bit more special.

And that’s something that we as humans have created with our own mind, right? This is a purely human phenomenon that we put more value on something that is original than an exact copy of that original thing. And there’s a business around it, right? The art industry is based on that.

That the original will be valued more than a copy. And I think for art, the art industry, why the NFT is an interesting idea, is because who and what is the original is really easy to prove. And then you don’t have all these… The chance of having a piece of art, a digital piece of art that is a fraud.

Mikko: And this nicely also answers the question which you always get around NFTs, especially images like JPEGs that you can just right click and make a copy. Sure. You can right click and make a copy. The difference is that your copy is not worth 100,000 euros.

Adriana: Exactly.

Mikko: The original is worth 100,000 euros. Your copy isn’t. Just like your copy of Mona Lisa on your wall, Janne, isn’t worth millions like the original in the Louvre is.

Yeah. I don’t know. Maybe I do hate art, because you’re not convincing me at all. Like Adriana, we had a conversation earlier about some of these new economies and business models emerging around the NFT space. Maybe we should talk about that instead.

Adriana: Sure. You’re talking about the play to earn economy?


Adriana: So this is an economy that is based in the digital world. A very clear example that comes to mind is the Axie Infinity game, which is a digital game where people own axies, and axies are basically little…

These characters. Yeah.

Adriana: Digital characters. And they just play against each other, and these characters are NFTs, and they are what is actually the valuable thing in there. So anybody can create an axie and then sell it and then you use that to play. So the NFT there is used to store the value. Does that make sense to you or…

It does.

Mikko: Well, and anybody who has played any game where you collect stuff or grind and collect gold to buy things would, I guess, agree that there’s value in there. You actually do work.

It’s hard work to collect all the coins you need to upgrade your character. And that’s why people are willing to pay real world money for these things. So it’s just an extension of the same idea, automating the same idea which we’ve seen in games for quite a while, and which has positive and negative sides. I mean, this is not an easy area and it’s, again, clearly in the middle of development.

But what I find fascinating about that is that this used to be a transaction between the company who made the game and myself as the consumer. But now there is this whole sort of economy around it. One company makes the game, and then maybe they’re taking a cut out of each transaction, I don’t know, but there’s this whole economy of people buying and selling in-game things to each other. We’ve seen examples of that happen in the past as well, but they’ve been sort of more limited, more confined to the in-game marketplaces, things like that. But this is sort of building a real world economy around a virtual experience.

Adriana: And it’s giving also access to more people, and more people can play these games and they can get something out of it. So it’s an alternative to your local economy, which might be really bad, and then your digital economy where you could be earning more money than in your local economy.

So it’s giving people an opportunity to make money, as it is right now, but we don’t know if this is really just a bubble, right? Because right now we’re at a place where we don’t really understand what NFTs are. Will they withstand the challenge of time, or is this just something that is a temporary bubble and at some point they will just blow up and NFTs will be worth nothing because as humans, we don’t really care about it anymore?

Mikko: It’s like Marc Andreessen failing to playing what a web browser is needed for.

Maybe it is, but at the same time, I don’t know. For example, Blockchain technology was supposed to be the solution to all mankind’s problems, and it’s been around for three decades now and there’s exactly one or maybe two actual viable use cases for it.

Mikko: Says Janne “Art Hater” Kauhanen.

Maybe that’s the case, but it didn’t solve all those things that it was supposed to be, like when you’re buying a house, that was supposed to go on this permanent ledger that’s a blockchain, and that’s not happening anywhere. Because it’s solving a problem that doesn’t exist.

Mikko: Yeah. Well, I agree. I agree. There’s tons of things that were supposed to happen which didn’t happen. But I would still claim it’s early days. The real Blockchain revolution hasn’t really been going on for 30 years, maybe 10 years. It’s still early days. We’ll see.

I think the definition of a great innovation here still is valid, and in my book, the definition of a great innovation is that when you explain it to someone, it’s obvious. And Blockchain is a ledger which is forever public and forever unchangeable. That’s it, which sounds like a pretty obvious innovation, but it wasn’t invented until Blockchain was invented.

So it is… There’s real innovation behind it and there’s tons of things which we could be doing with it which we aren’t doing yet, and we can do that without destroying the environment and the planet.

Adriana: Covered everything.

Andy: I was going to give you a non-capitalist take on the whole NFT thing. Because I mean, all the use cases that were discussed around NFTs were about people being able to make money off something. But I put more my code up on GitHub. I create artwork. I create these nice GIF-y things from network diagrams that I capture and stuff like that, and I let people use them. I don’t care. I don’t want money for that. But it would actually a nice way of just kind of tagging something that I was the person who created that.

For what, do you want credit or do you want to see where it’s being used?

Andy: Like just kind of as a…So that anyone can look at and see that oh, I’m the person who made this code the first…

Mikko: So you’d like to sign it.

Andy: Yeah. Yeah. And then they can get in touch with me if they did something cool with it or they have questions or something. So that if they would get that Python script, obviously they can see that it’s mine because it’s in my GitHub. But if someone forks it and they would see that actually we originally, I was the one who wrote it, and so they could… They could get in touch with me if they wanted to. And so it would allow people to put stuff out for free without… Yeah. But, but by signing it, by kind of saying that I’m the person who made this.

Adriana: But don’t we already have something like that with the commons? The copyright commons…

Andy: MIT license or…

Adriana: Yeah.

Andy: Yeah, but that’s just a license. I’m not talking about licensing. I mean, yeah, I can add an MIT license to my code and so that anyone can use it.

Mikko: Which is easy to remove. If you would do it with something like that, there was no way to remove it.

Andy: Yeah. Right.

Mikko: It would be permanent.

Andy: Yeah. Yeah.

I don’t know. I’m starting to warm up to the idea that NFTs, as a way of sort of signing digital or virtual things, might have value. I’m starting to warm up to that…

Mikko: But nobody’s doing it, though.


Mikko: We should start a startup. Are you busy, Janne?

This is our second startup during this recording. But the first one was about kidnapping people, so maybe this is more sustainable.

Mikko: Yes. Different companies.

Yeah. Absolutely different companies.

Andy: Why can’t we do both?

No, no. We’re going to do both. They’re different companies. We want that deniability. Actually, maybe they should be the same company so that we can always talk about, “We’re doing this NFT stuff. All this stuff about us kidnapping people is preposterous, right? Like why would we…”

Mikko: We only kidnap people to fund the real operation.

Well, that’s the truth, but we don’t want to own up to it.

That was our show for today, hope you enjoyed it. Please get in touch with us through Twitter @CyberSauna, with your feedback, comments and ideas. Thanks for listening. Be sure to subscribe.

Adam Pilkey

24.01.22 43 min. read


Highlighted article

Related posts


Newsletter modal

Thank you for your interest towards F-Secure newsletter. You will shortly get an email to confirm the subscription.

Gated Content modal

Congratulations – You can now access the content by clicking the button below.