F-Secure's Mikko Hypponen on IoT: If it uses electricity, it will go online

Want a more secure PC? Try Windows 10 S, says CRO

PC Security and Windows 10 S

What about F-Secure's traditional business of securing PCs? The recent WannaCry ransomware was interesting in part because even PCs with up to date security software could be infected (though F-Secure was apparently effective). Are locked-down operating systems like Windows 10 S, Android and iOS a better long-term solution?

"It is, and it works," says Hypponen. "Windows 10 S for all practical purposes is iOS. They lock down everything and you will not be able to program it. That's the difference. Take the big 12" iPad. You add a keyboard, and you compare it to MacBook Air. It's the same device. The iPad is a bit faster, has more memory. It's roughly the same size. And you can do everything on both except I can't program the iPad. I can program the MacBook. It is a huge difference in security. When the device cannot be programmed by the end user, you remove whole classes of security problems.

Microsoft's Surface Laptop, running Windows 10 S

Microsoft's Surface Laptop, running Windows 10 S

"That's what Microsoft is trying to do with Windows 10 S. I think it is a great idea. They want to compete against ChromeBooks and iPads in the education space. Of course there are attacks which will work even there. A mundane example would be phishing, stealing people's credentials. We have seen ransom trojans which infect the system through exploits and which run completely in memory, so they don't drop any executables on the hard drive. Another example is VB Script and JavaScript malware which is not binary at all."

What about state involvement in the security of our computer systems? The UK government, among others, talks about loosening security supposedly to improve counter-terrorism intelligence, but foreign powers too may want to spy on us.

"I am not surprised that politicians like your current and previous prime minister have been asking for restrictions on strong encryption. They are politicians. I am disappointed at their technical advisers. Their advisers should understand better. What politicians understand is that, yes, the bad people do use strong encryption. But the solution is not to ban security. The cat is out of the bag. All of this is based on math. You can walk into every library and get a book which will tell you how to implement uncrackable encryption. The secret is out.

"Once the secret is out, if you are going to pass a law which makes it illegal to use strong encryption, then you and me will follow that law. You know who is not going to follow that law? Bad people. So if we restrict access to strong security then the people who need security won't have access to it and criminals will still have access to it, so this will never work."

F-Secure now provides a VPN solution, which some people may want to use for illegal purposes whether that's simply downloading a copyrighted movie or engaging in more sinister activities. Is F-Secure trying to prevent that kind of usage? If the police ask for details of what a particular user is doing through your VPN would you help them?

"We'd love to help but we can't because we don't log, we don't have the information they are looking for," says Hypponen. "We don't have names of the users. It's supposed to be a privacy-enhancing product. We are not trying to be dicks to law enforcement. We work with cops regularly when we fight online crime. But privacy works both ways. We can't just give privacy to good people without giving privacy to bad people.

"It is a hybrid VPN. It is not a blind VPN where we wouldn't be able to block anything. There are sites that you can't access with Freedome. We block phishing sites. There are other kinds of traffic that we block. But it is completely automated, it is not per-user. If law enforcement asks us to block access to certain sites and we agree, we are happy to do that, but we can't tell them who went there."

Do you feel comfortable that you are not making it easier for people to break the law?

"I don't like the fact that our product can be used to do bad stuff. Then again, terrorists can buy our antivirus. This is the same kind of argument you could have about knives, or cars. Can be used for good, can be used for bad. I am not losing my sleep over it."

More information on Sense is here

Sponsored: Minds Mastering Machines - Call for papers now open


Biting the hand that feeds IT © 1998–2018