Mikko Hyppönen, a luminary in the realm of cybersecurity, reflects on his illustrious career during this insightful dialogue. With over three decades of experience, he articulates the evolution of his professional journey, transitioning from programming to the intricate domain of malware analysis. He recounts his initial encounter with malware, specifically the Omega virus, which ignited his passion for reverse engineering and paved the way for his enduring contributions to security. Moreover, Hyppönen unveils his recent shift toward drone defense technology, indicating a profound commitment to addressing contemporary challenges in military applications. As he prepares to leave the cybersecurity landscape, he expresses gratitude for the community that has supported him throughout his tenure, underscoring the importance of collaboration in making the digital world a safer environment.
In this special edition episode of the Security by Default podcast, Mikko discusses his extensive career in cybersecurity, his transition to a new role in drone defense, and the innovative Museum of Malware that showcases the intersection of art and cybersecurity. He reflects on his journey, memorable experiences, and the importance of storytelling in engaging audiences
Takeaways
Resources:
https://www.withsecure.com/en/experiences/museum-of-malware-art
Miko, welcome to the short round fire of the Security By Default podcast.
Speaker A:It's a pleasure to have you back.
Speaker A:We've chatted many times over the years.
Speaker A:You've been doing black hat for many years.
Speaker A:How many times is this black hat for you?
Speaker B:20.
Speaker B:I'm guessing somewhere there a lot of, lot of conferences.
Speaker A:So I have a question.
Speaker A:When you're starting off in your career at a very young age, what actually, what was your alternative career option?
Speaker A:What were you.
Speaker A:If you weren't.
Speaker A:If you didn't get into cybersecurity, what would you be doing today?
Speaker B:I'd be a journalist.
Speaker B:I actually wanted to be a journalist.
Speaker B:I did a bit of like a radio journalist work when I was 18, 19.
Speaker B:I remember interviewing James Brown when he was visiting, towing a gig, things like that.
Speaker B:Also telling that I actually cut and pasted that interview, like literally cut it.
Speaker B:The tape that I recorded it on and I used tape to, you know, put it back together.
Speaker B:That's the way we did it.
Speaker B:I never got into the university that taught journalism, so then I took the alternative path, which was, well, computers.
Speaker A:It was very similar.
Speaker A:When you think about journalism, it's a lot of research, but did you choose cybersecurity or security at the time, because it wasn't called cyber, or did cybersecurity choose you?
Speaker A:What was it?
Speaker B:I was a programmer.
Speaker B:I studied on 8 bit computers, which taught me to do really low level programming on very restrictive devices.
Speaker B:And then later when I was hired to do programming professionally, well, the same company was also doing security and they realized that I could reverse engineer stuff, so they started giving me malware.
Speaker B:Mikko, can you reverse engineer this?
Speaker B:Can you decode and figure out what it's trying to do?
Speaker B:And I could.
Speaker B:That's what I started doing 20, 30, 35 or so, and I'm still doing it today.
Speaker A:That's impressive.
Speaker A:That's such a.
Speaker A:Very few people have such a long career.
Speaker A:Because in this industry, in this economy, careers change very often, almost like every five to 10 years.
Speaker A:So that's impressive.
Speaker A:You've done hundreds and hundreds of keynotes of the years and conference talks.
Speaker A:What's different about giving a talk and a keynote here at Blackout?
Speaker B:Blackout isn't actually that different from giving a keynote anywhere else except the audience, of course.
Speaker B:The keynote is huge.
Speaker B:12,000 People.
Speaker B:That's a lot of people for anybody.
Speaker B:But it's also a very knowledgeable, very technical audience.
Speaker B:So you really must not underestimate the technical level of the audience.
Speaker B:But in the end, what people really want to hear is stories they want to hear about what other people have done, what they've learned, and that's universal.
Speaker B:And that applies here at Black Hat as well.
Speaker A:Absolutely.
Speaker A:Fantastic.
Speaker A:I mean, I also.
Speaker A:I do a lot of talks over the years, and even before talks, I have a lot of my own personal preparations and rituals and kind of things that I do to get ready for it.
Speaker A:Do you still get anxiety?
Speaker A:Do you get, like, you know, some, you know, pressure?
Speaker A:Do you get scared?
Speaker A:Do you have any rituals?
Speaker A:How do you prepare for giving keynotes such as what you give here?
Speaker B:I have no tips to give there except to do a lot of talks.
Speaker B:I don't have rituals.
Speaker B:I don't get nervous because I've done my hundred thousand hours of talking.
Speaker B:How many hours?
Speaker B:You want to count?
Speaker B:I don't know.
Speaker B:I've done this for 20 years.
Speaker B:And of course, then it becomes something which, you know, regardless of the situation, that you'll be able to handle it regardless of the audience, regardless of the stage, regardless of the technical things.
Speaker B:Even if there is a breakdown and you lose your slides, you know, it's going to be okay.
Speaker A:And.
Speaker B:And I do think that this also matters to the audience.
Speaker B:When you have a really experienced speaker walking on stage, it's somehow obvious.
Speaker B:The audience will immediately know that he's.
Speaker B:He's gonna do it, it's gonna be fine, regardless of everything else.
Speaker A:Absolutely.
Speaker A:So practice makes perfect.
Speaker A:It's about, you know, repeating and practicing and just getting into it becomes almost.
Speaker B:Like a habit, and you become confident, and that's.
Speaker B:That's really.
Speaker B:It's obvious to the audience that this guy knows what he's doing when he's confident.
Speaker A:So a quick question.
Speaker A:What's your most memorable piece of malware?
Speaker A:What's the one that sticks?
Speaker A:Years?
Speaker A:Because you've.
Speaker A:You've researched many.
Speaker A:You've reverse engineered probably hundreds, if not thousands of pieces of malware.
Speaker A:What's the one that kind of always sticks in your mind?
Speaker B:There's many different options.
Speaker B:I could go with the obvious ones, like Stuxnet.
Speaker B: I spent the summer of: Speaker B:We could speak about Isla View, the largest email worm outbreak in history, which we were the first ones to find.
Speaker B:But I will start.
Speaker B:Or, I mean, I will.
Speaker B:I will choose the one that started it all for me, which is Omega, the very first malware I was ever assigned, reverse engineer.
Speaker B:I spent three or four days decoding it because I had no experience whatsoever.
Speaker B:In fact, I didn't even have a computer I could use to run the malware on because computers were expensive and we couldn't afford to spare a computer just for infecting it.
Speaker B:So I printed out the code, went through the code with pen and paper, had a interrupt reference list and an ASCII chart.
Speaker B:And I decoded it successfully, figured out how it replicated, how it activated on Friday the 13th, every time overriding all the files in the computer and then displaying a symbol.
Speaker B:And I was looking at the ASCII chart to decode that it's the Omega symbol.
Speaker B:And maybe a month later, I got a computer I could actually infect on purpose.
Speaker B:And I ran the malware, I changed the date, and it indeed was the Omega symbol.
Speaker B:And it was also the first virus I ever named, the Omega virus, which you can still find online if you Google for it.
Speaker B:And that started a tradition with our company, which is that after you work with the company for 10 years, you get an Omega watch.
Speaker B:And I've been carrying my seamaster omega for 24 years now.
Speaker B:And I know what you're thinking.
Speaker B:I should have named the virus Ferrari.
Speaker A:So that leads me into one of the things that just recently launched, I think it was last year, was the Museum of Malawar Art.
Speaker A:Tell us a little bit about it.
Speaker A:Can people find it online?
Speaker A:Can they go visit it?
Speaker A:What's the way to get to go experience the museum?
Speaker B:I've been part of several really cool projects while working with this company.
Speaker B:But one of the coolest projects I ever did with Data Fellows or F Secure or witsecure is this museum project, which we started already three years ago, originally with the idea of archiving the history of malware and virus attacks and all that.
Speaker B:It expanded from just a museum into an art museum.
Speaker B:And this is a physical museum you can visit in Helsinki, Finland.
Speaker B:If you go to museumofmalware Art, you'll find the webpage and you can book a visit and come take a look at the things we have on display, where we have the history of malware, old viruses on display, but then completely new modern art, commissioned especially for the museum from international artists, where all the art pieces are inspired by malware or by cyber attacks.
Speaker B:And we have sculptures, paintings, AI art, interactive art, graffiti, textile art.
Speaker B:It's pretty amazing.
Speaker B:And it's a permanent museum I'm really proud about.
Speaker A:Absolutely.
Speaker A:Make sure that the audience who's listening in will actually get easy, easy links to be able to find out more about museum and also how to visit when actually doing a visit to Helsinki, Finland.
Speaker B:Sure.
Speaker A:So you've made a major announcement recently about a change in your career.
Speaker A:And direction.
Speaker A:Can you tell us about what's.
Speaker A:What's next?
Speaker A:What's your next passion and hobby?
Speaker A:What are you going to do in the future?
Speaker B:As we are recording this, I'm on my final days working at Widsecure.
Speaker B:So after 34 years, I resign and I will starting in a new industry.
Speaker B:I'm joining a drone defense company called Sensor Fusion, building hardware products to locate and fight aerial drones and other kinds of drones as well.
Speaker B:And this is mostly used for military use nowadays, as we know.
Speaker B:The war in Ukraine has shown to us how the face of war has changed thanks to different kinds of drones.
Speaker B:And this is something I feel has more meaning right now than any other field of research.
Speaker B:And that's what I'll be doing in the future.
Speaker B:And I think there's a lot of similarities between cyber defense and drone defense.
Speaker B:And I'll be bringing what I've learned over these decades from cyber into drone.
Speaker A:There's definitely a lot of overlap for sure.
Speaker A:So for you, will this be your last blackout or are you going to come back?
Speaker B:It's going to be my last Black Hat.
Speaker B:Who knows?
Speaker B:For now it's the last one.
Speaker B:I won't be completely leaving cyber, but I will no longer be working in cyber security industry.
Speaker A:Final.
Speaker A:You know, Migo, thank you for being everything you've done over the years in the industry and making the world a safer place.
Speaker A:And now I'm really excited about you're continuing to continue to do that in another area with drones where it's really, you know, that's accelerating, I think, faster than anything else.
Speaker A:And it's changing a lot of the kind of the defence and the country's sovereignty as well.
Speaker A:So thank you for everything you've done.
Speaker A:Any final words of wisdom, any final notes you want to leave with the audience?
Speaker B:I want to repeat what I told the keynote audience here at Black Hat in my final words from the stage, which was thanking people for their work and thanking people for giving me a home.
Speaker B:Giving me a home for 34 years.
Speaker B:Thank you.