Fennel Aurora’s Articles, Talks, & Media
My work is spread over multiple outlets. I write thousands of words a day, give talks, and answer interesting questions. Most of my work is under NDA — here you will find the parts that are not. This post provides a central location to find my articles, information about talks I have given, and my press clippings.
Beyond what is below, I am fairly prolific on Twitter on all kinds of topics, mostly related to security, privacy, surveillance, and broader human rights struggles. Opinions and comments are my own, obviously!
If you like what you see and want more, please feel free to contact F-Secure PR to arrange articles, interviews, and talks. Alternatively you can contact me directly on Twitter or LinkedIn.
Articles
It Is Okay To Not Be Okay — Nobody is at their best now. We are all living with 1 year of fear, loss, anger, and uncertainty with no clear end in sight. We are not indefatigable unfeeling machines. It is okay to not be okay.
Watching IoT manufacturers and regulators repeat history — Security, privacy, and safety protections are not a new unsolvable problems. I take the radical position that learning from our history, rather than ever repeating it, might be good for consumer IoT.
What Would You Call It? — Sometimes I look at numbers, and I am angry. What would you call it? Would you forgive us? Remember it is not too late for the rest of us (individually and as leaders), we can still take the examples our East Asian and African peers have been begging us to follow for months.
Spectre & Meltdown Explained To “Normal People” — Patricia Aas of TurtleSec Norway issued a challenge to the cyber security community: “Go try to explain Spectre and Meltdown to normal people, I dare ya’”. Challenge accepted!
Every Important Problem Is Systemic, And Not Only Individual — My approach to life, activism, and work all have this idea at the center.
So Google Is Making A VPN? — More nuanced full answer to reporter questions on whether we expect this app to become popular, and whether we trust Google to protect users’ data on this VPN.
What Are Infostealers? — What are infostealers? Why are criminals using them? How do they make money from them? What are other reasons infostealers are used? What is an example of how an infostealer works? How common are they? How do I protect myself? Answers inside.
What does Apple’s encrypted DNS mean for consumer security and privacy? — Longer piece explaining the threat modeling and potential current and future impacts of Apple and other major consumer platforms introducing DNS-over-HTTPS and DNS-over-TLS features, especially in the context of consumer security services delivered via internet service providers.
Beginning and building your cyber security career — So you want to work in cyber security? Here’s are my tips for how to start and build your career.
Dinosaur Names — What have dinosaurs got to do with privacy & technology? What is the best dinosaur music? What is objectively the best dinosaur? Answers to these pressing questions inside!
Refurbished Phone Security — There are legitimate security concerns around using outdated phones of potential dubious provenance. That said, it is worth putting these concerns in perspective by modelling the threats faced by the likely buyers of these devices.
Making Prevention Visible — What do cyber security, the Y2K bug, and the ongoing COVID-19 pandemic have in common? Our best work is mostly preventative and we must justify the “peacetime value” of all the bad things that did not happen thanks to our actions, processes, and tools.
Act As If This Is A New Polio — My mental model for how to manage COVID-19 risks is polio. Here’s what I mean by that, with lessons from cyber security, chess, and Talmudic philosophy.
The Rioters Are The Ones —Who are the rioters? You will know them by their actions. And when you see the shameless obscenity of their actions, there is an obvious answer.
Data Breach Alert! What Should I Do? — What should we do when we hear about a data breach in the news for a service we use. Like for example EasyJet today? Here’s some practical advice.
A Secret: The Writing Part Is Quick! — What writing doesn’t require is a lot of time. Writing is like the old joke about the factory with a broken machine…
Password Complexity For Non-Technical Consumers — Explaining the mathematics and information theory behind password complexity to a non-technical audience, including calculating out a few thought experiments. This is why we should all just use a password manager. Disponibile anche in italiano — Complessità delle password per utenti non tecnici.
Mitigating Zoom Risk — Many people, especially the most vulnerable, do not really have a choice in using Zoom. That doesn’t mean Zoom is not malware. It does mean we need to help mitigate the risks for those people. Here is some advice for both callers and call admins. A follow-up to this article.
“Privacy vs X” is Always a False Framing — The current pandemic is once against bringing questions on how privacy rights should be balanced against other important social needs — in this case public health. It is my believe this is a false and dangerous framing.
My Netflix Travels — Even though we are all going to be stuck at home for a while, we can still travel the world! Here are 14 Netflix TV show recommendations from 14 different countries & 5 continents, + 2 bonus themes to travel with.
Numbers Always Hide Choices — a brilliant infosec incident response example perfectly illustrates the hidden world behind every number we see and use. Numbers are not objective. Numbers always always always hide choices!
Using REVTeX on Windows — Helping friends and family with IT problems is a great way to learn obscure computer things that you would never see otherwise. REVTeX is an incredibly niche programming language that physicists worldwide need to learn if they are to get published in some critical US journals.
‘Smart’ Sewer Cyber Security & Privacy Impacts — some cyber security and privacy risks to weigh and mitigate against when considering the positive potential of deploying ‘smart’ sewer systems.
It’s A Scam! — “I just received a reasonably well-crafted semi-targeted phishing attempt on LinkedIn.”, explanation and advice for how to spot and deal with LinkedIn scams targeting your company.
5G and IoT: How will security change? — speculative opinion piece on how security will change with 5G.
Security Advice Is Never Neutral — follow up to my travel security tips, detailing why cyber security and opposing systemic injustice can never be separated.
Travel security tips for your summer holidays — simple practical advice on things you can think about before, during, and after a trip to improve your digital security. Aussi disponible en français — Quelques conseils de voyages pour vos vacances en toute sécurité. También disponible en español— Consejos de seguridad para sus vacaciones.
Zoom on Mac & Its Wider Implications — practical warning and advice for Zoom video-conferencing users, and a call for the cyber security industry and legislators to look at how we deal with “legitimate” companies whose business models and products are indistinguishable from malware.
6 Predictions for the Future of Consumer Cyber Security — explaining some general trends that I’m fairly confident on seeing continue during the next 5+ years. Aussi disponible en français : Cybersécurité des particuliers : 6 prédictions pour l’avenir.
Keep Calm And Use A Password Manager! — analysis and response to some interesting research on the security of password managers.
Everyone Can Use a Password Manager — Here’s How! — a step by step tutorial on how to start and continue using a password manager. It’s super easy and the single best thing most people can do to improve their online security.
All the Ways Facebook Can Track You — explanation of the 7 major categories of metadata available to Facebook. Illustrates just how powerful and invasive the surveillance economy has grown.
5 Common Sense Security and Privacy IoT Regulations — proposal for how to bring IoT security and privacy up to the level of consumer safety of other products.
Why Should I Care? — a short battle-cry, answering why we should all care about protecting everyone’s security and privacy.
No Security in a World Without Privacy — detailed look at why our fundamental human right to privacy is so critical to the protection of every other freedom. Aussi disponible en français: Pas de sécurité dans un monde sans vie privée.
Can the People on My Smart TV See Me? — a humorous look at Rockwell’s question “Can the people on TV see me, or am I just paranoid?” as a way to highlight how much intrusive surveillance is already in all our homes.
What Were the CryptoWars ? — a history of ordinary people using cryptography to protect their security and privacy, the very recent phenomenon of dominant nation states being able to try stop them, and ongoing the fight to protect our right to strong encryption.
The High Grounds of Mass Surveillance — a detailed look at 20 different ways that the Five Eyes states totally dominate the world in terms of their ability and willingness to do mass intrusive non-consensual surveillance on everyone worldwide.
9 Reasons Why I Hate Your App — explaining my approach to product design and development via a humorous look at 9 common mistake.
Talks
“There Is No Security Without Privacy” — a public 20 minute talk from February 2020 ENISA event to an audience primarily made up of EU member state Telecoms Regulators on why aggressively protecting users’ privacy from both state and commercial surveillance is a critical duty of the EU towards its citizens. Photo.
“DoH & AI” — a 20 minute talk from Feburary 2020 to an audience of CISOs from European Telecoms operators giving a look at how F-Secure sees the consumer cyber security layers; how we think they will and won’t be impacted by DNS-over-HTTPS; some of the ways we are using AI/ML to secure the layers today; and how we see that evolving tomorrow, including with Federated Learning and Swarm AI.
“Are We Doing The Basics ?” — a 20 minute talk from October 2019 to an audience of CISOs from European Telecoms operators on a cheap, easy, and effective way to drive InfoSec and OpSec awareness with employees, focusing on the real weak links in the chain.
“There Is No Security Without Privacy” — a 20 minute talk from October 2019 to an audience of network & technology innovation managers from European Telecoms operators on why aggressively protecting users’ privacy is both a moral duty and a huge business opportunity.
“There Is No Security Without Privacy” — a 50 minute keynote from September 2019 to 300 Ericsson security professionals. Message me if you would also like to hear a 50 minute talk about privacy, mass surveillance, and software ethics that includes Hollerith machines, punch cards, 17th century insurance industry jargon, the Code of Hammurabi, researcher Sarah Jamie Lewis, poet John Milton, philosopher Jeremy Bentham, writer Flavia Dzodan, arch-bishop Desmond Tutu, vials containing body odour, a picture of a baby squirrel, and a few other random things.
“There Is No Security Without Privacy” — a 20 minute talk from June 2019 to an audience of CISOs from European Telecoms operators on why aggressively protecting users’ privacy is both a moral duty and a huge business opportunity.
“Industrialization of Malware Analysis” — a 90 minute talk + 30 minute Q&A given in 2017 to cyber security students at the Paris EPITA University on malware history and the use of machine learning as an adjunct to help protect users. No video available, there is a journalist’s write-up of the talk in French with photos.
“Galois Connections & The Calculational Proof Method” — a 15 minute talk given in 2002 to members of the mathematics and computer science department of Oxford University as part of my Masters in Computation.
“Applications of Kolmogorov Complexity” — a 10 minute talk given in 2001 to members of the mathematics and computer science department of Oxford University as part of my Masters in Computation. This is a fascinating area of information theory linked to randomness, cryptography, DNA analysis, and many other areas. No trace online, unfortunately.
Multiple 15–60 minute internal talks/seminars given as part of my work at F-Secure to telco partners on many subjects: basics of malware protection, password management, trends in security, IoT security, operational security, hacking, data analysis, surveillance, …
Media
Businesses Could Benefit From Proposed UK Consumer IoT Security Legislation — Comment from myself and others in Security Week on the latest UK IoT regulation proposal.
Google to launch VPN inside cloud storage app — Comment on Google’s latest announcement in the Daily Swig, an online cyber security focused news outlet.
In the market for a second-hand phone? Check it’s still supported by the vendor — almost a third sold are not — Which? have published an investigation on refurbished mobile devices, highlighting that in many cases they are already or soon out of software support. Here is some commentary from Professor Woodward, myself, and others in The Register. My full reaction here.
How do I select a mobile security solution for my business? — 5 cyber security companies in Help Net Security online magazine, with 5 complementary ways to approach a 200 word limit on how businesses should approach securing their mobile devices. My contribution is based on parts of my “Are We Doing The Basics?” talk.
Peut-on vraiment faire confiance à Zoom ? — reporting on the privacy and ethics issues surrounding Zoom in French magazine Le Grand Continent referring to my articles and commentary on the subject.
5G et objets connectés : comment la sécurité va-t-elle évoluer ? — editorial in French computer magazine Informatique News with my thoughts on the ways in which IoT, cyber security, privacy, and society in general could change with the latter stages of 5G.
Could a new technology powered by AI help protect Britain from floods? — on smart sewer systems being proposed in the UK, US, and elsewhere. The article includes some of my comments on the fragility of such complex systems and so the potential for increased cyber security risk. My full response here.
Get yourself cybersecure for 2020 — a brief excerpt of a quote in the UK’s The Guardian boardsheet newspaper. This was cut (and placed in a confusing context) from my original feedback to a request for comments on biometric security for mobile phones:
Again, it depends on the users’ current behaviour.
Most people do not set any code on most devices. Biometrics is more secure than no code.
Biometrics is more secure than a code of “0000”.
That said, the preference is to use a strong (meaning a long) password for all devices.
It is stronger.
It can be changed (imagine trying to change your face or fingerprints when they leak).
You often have stronger legal protections against self-incrimination.
FASTags pose serious data privacy and security threat — comment on India’s FASTag system, and the way that a few seconds of convenience is used to further extend mass surveillance. Surveillance is a privacy issue. And like all privacy issues, it is also a physical safety issue for women, LGBTQIA+ people, and targeted ethic/religious groups. That is not an OK price to pay for convenience.
What If Netflix, but Twice as Fast? — New York Times article about the great lifehack of watching and listening to online content at accelerated speeds.
Internet technology’s walking dead — comment for the F-Secure blog on the explosion in Telnet attacks due to irresponsible unregulated IoT manufacturers.
From Adobe to Windows XP: Forced upgrades aren’t just about staying up-to-date, they could save you from hackers — Based on an extensive interview with Rhodri Marsden, lots of quotes on the complexity of thinking about forced auto-updates for software, touching on changes in the software industry, financial incentives, software ethics, and consumer security.
Potential ‘Mirai-style botnet’ could be created via Telestar Digital Radio vulnerabilities — comment on the Telestar Digital Radio vulnerabilities and their implications to the “security walking dead” of today’s IoT.
Identity fraud: this is what you need to know — interview with Dutch telecoms operator XS4ALL, talking about identity theft, the future of passwords, and how we in cyber security can do better in meeting users where they really are to protect them. Article is in Dutch, auto-translate tools work pretty well.
Stay cyber-secure this summer — article in the IT Pro Portal online magazine, asking 4 security experts for holiday travel security advice.
Will the Huawei ban create a third way for smartphones? — article in the July 2019 edition of UK print magazine PC Pro, with some comments from me around the US government’s bad faith attacks on Huawei.
Is Windows 7 safe? — article by The Big Tech Question online magazine, with extensive quotations around Windows security, patching, and how to think about consumer threats.
Good intentions behind online age verification checks are not enough — F-Secure’s reaction to the recent UK “porn pass” laws, including extensive comments from myself and another colleague. Similar comments have also appeared in The Sun, Computer Weekly, Beta News, and other UK outlets. Also available in French.
Tech firms race to get a camera in every home: Here’s how to protect your privacy [Paywall] — article by UK broadsheet The Telegraph including some of my thoughts around the wisdom of smart speakers/cameras in the home.
[Avis d’Expert] Le crypto-jacking vous mine ? Nos conseils pour protéger vos ressources — 7 page expert briefing document for companies on the subject of crypto-jacking, based on an interview.
4 faits surprenants sur les malwares — article by French tech news site Presse Citron based on my Industrialization of Malware Analysis talk.
Protéger tous vos appareils connectés à la maison d’un seul coup — I was interviewed in both English and French as part of a short piece on the consumer products show “On n’est pas des pigeons !” that airs on Belgian national TV channel RTBF, talking about security for consumer IoT.
Fennel Aurora Has Something to Hide — one of 30 interviews F-Secure did with selected fellows from across the business to celebrate 30 years in cyber security. The interview focuses on why I work in cyber security and why I consider it so important.
SFR Password: F-Secure mise sur les opérateurs — from the French version of the tech magazine ZDNet, about the launch of a password manager for SFR customers, F-Secure’s approach to operator partnership, and why password managers are so important.
Le minage de cryptomonnaies, nouvel eldorado des clouds français — for the French tech magazine Journal du Net, about blockchain, crypto-mining, and cloud computing.
セキュリティーとプライバシーに関する5つの常識的なIoT規制 — for the Japanese consumer magazine Takara Joho, translation of my 5 Common Sense Security and Privacy IoT Regulations article.
