Back to the Future with Mikko Hypponen

In a few decades, your computers may be mostly bug-free because programmers won’t be writing your code, according to Mikko Hyponnen.

The chief research officer for F-Secure always has something controversial to say, which is why Black Arts Illuminated has bought him back as a keynote for SecTor 2016, which marks the security conference’s tenth year. Today, the conference also announced a selection of other first-round speakers who will take the stage this October.

Hypponen, who also delivered a keynote talk at SecTor 2011, thinks constantly about the future of cyber security, but he also has nostalgic leanings. He made a film about tracking down the place where the first ever computer virus was ever written:

He also works with the Internet Archive on the Malware Museum, a collection of early eighties and nineties viruses that have been put into an MS-DOS emulator. The idea for the museum came to him when he saw another Internet Archive project, which ran old DOS games directly in the browser.

He realized that the emulation was now so good that it will could support early malware, which was pretty badly behaved with its self-modifying code and use of undocumented DOS opcodes. He started talking about it with the Internet Archive’s Jason Scott, a computing historian himself responsible for some excellent documentaries about the early days of computing. Since then, Hypponen has put dozens of early viruses online.

From games to viruses

“It’s quite clear now in hindsight that early computer viruses in particular were like an art form,” he said. Early viruses were different to today’s vicious, single-minded malware. Instead of secretly stealing your cash and logging your passwords, they made their presence known. They displayed messages demanding the legalization of cannabis and animated your screen, and then often nuked computers in spectacular style, wiping whole hard drives.

Just because Hyponnen’s job was to kill them doesn’t mean that he can’t respect and document them, which is why he spends time poring over old floppies and resurrecting them.

“It was an important episode in the history of computing, and if we don’t save this part of our history while we still can, while we still have some old floppy drives, then we never will,” he said.

Hypponen is also a video game enthusiast, and collects old cabinets. At his peak, there were 13 in his house, including his favourite, Xevious. He is now donating them to a crowdfunded gaming museum in his native Helsinki.

“The reason wasn’t really the games, but the whole thing. The cabinet. The art. The sounds. It’s so different to play the real Space Invaders game – I have that game,” he said. “The biggest difference is the thumping bass that hits your stomach when you play the game, which you will not get out of an emulation. The whole cabinet is basically a subwoofer.” Then, for effect, he makes the quickening ‘dook-dook’ sound that any eighties teen will remember.

It’s no wonder that Hyponnen remembers the old days of computing so fondly. He grew up in the early days of home computing programming a Commodore 64, and quickly graduated from playing games to writing his own. “The only way to write games on a 1 MHz system like the Commodore 64 was to write them in assembly,” he said.

Unlike higher-level languages such as C or the Commodore’s built-in BASIC, assembly language talks more directly to the computer’s chip, enabling developers to perform more intricate low-level operations. Before long, he was writing his own graphics routines and selling them to games companies.

He ended up working at a six-person startup called F-Secure that did security training. One day, someone bought in an infected floppy disk, and his boss asked him to use his assembly programming skills to reverse engineer it. “That’s when I reverse engineered my first virus,” he said. He never left.

What’s old is new again

What’s strange is how many early trends in cybersecurity and malware come around again, Hypponen muses. The attackers have changed, morphing from home hobbyists into organized criminal groups, and the motivations have become almost entirely financial, or espionage-based, with some activism thrown in. But the techniques revolve as they evolve.

“Viruses like ‘Stoned’ would only spread around the world as fast as people would carry them,” he said, recalling the days when they only spread via floppies. Fast forward to today, and we have USB worms that spread only via thumb drives, he points out.

These techniques are still being used because they’re proven to work, he said. “Stoned infected computers on every single computer on the planet, including machines at research stations in Antarctica.”

He also calls out macro viruses, which he said Microsoft killed in 1997 with the release of Office 97, when it introduced more security around macro execution.

“Now it has come back,” he said. “We’re moving away from web-based exploit kits back into email attachments.” Now, the attackers persuade users to enable macro execution using social engineering. Human vulnerability is another thing that hasn’t changed.

If anything, humans are the weak link that Hypponen says must be addressed in the next few decades.

“We will always have bugs because programs are being written by human beings, and they make mistakes,” he said. The bugs are what enable attackers to exploit the systems. So how do we fix the bugs?

“It’s obvious. We have to get rid of people to do the programming, and they have to be replaced with a superior automated program that writes the programs for us,” he said. “Yes, I’m talking about artificial intelligence.”

Years ago, Hypponen wrote his own program that would write its own code. It wrote terrible code, but it compiled, he recalls. In his lifetime, he believes that we will get to the point where automated coders equal human beings in skill.

“Boom. It’s the last day that any programmer on the planet has to write anything ever again,” he predicted. A super-intelligent programmer will write a better version of itself, which will [in turn] write a better version of itself.”

An advanced AI writing better versions of itself is scary, he said, but it would provide a giant leap towards the creation of more secure software. And a breakthrough like that could finally break the constant equilibrium between black hat and white hat, he believes.

Debugging dumbness

Faced with that kind of power, cybercriminals would be forced to focus on social engineering attacks, which leaves us with another problem, which goes back to the days of the floppy disk: how can we stop users doing dumb things? Perhaps, in the end, it’s about restricting functionality.

Hypponen conducted this interview via Skype on an iPad. It’s a great device, he pointed out, but you can’t program it. Instead, you have to use a more powerful computer to write your code and then send it to Apple for approval. Once Cupertino has blessed it, you can load it onto your tablet.

“It’s a really restrictive model, but it’s also quite secure. This is the basic reason why you have so little malware for iPads. And users are happy to make this trade-off. If you’re not a programmer to begin with, you don’t really need that part,” he muses.

That’s one vision of cybersecurity, with a world divided into users and tinkerers, and AI looking after everyone. It’s a far cry from a present which people like Hyponnen are currently grappling with. Here and now, the tug of war between cybercriminals and researchers like him continues.

Are you interested in finding out more about the present and future of security? Come and hear Mikko Hypponen speak at the SecTor security conference in downtown Toronto, October 17-19th 2016. Check out the registration page.