(digital music) >> Welcome, everyone. Donald Klein here with CUBE Conversations, coming to you from our studios at theCUBE, here in Palo Alto, California. And today I'm fortunate enough to be joined by Paul Makowski, CTO of PolySwarm. PolySwarm is a fascinating company that plays in the security space, but is also part of this emerging block chain and token economy. Welcome, Paul. >> Thank you, thank you for having me. >> Great, so why don't we just start and give everybody an understanding of what PolySwarm does and how you guys do it? >> Sure, so PolySwarm is a new effort (audio fading in and out) to try to fix the economics around how threat (missing audio) >> Donald: Okay. >> So, we see a lot of shortcomings with (audio fading in and out) I think it's more of a economic concern rather than (missing audio) (laughs) Rather than a concern regarding (missing audio) >> Donald: Okay. >> So, what PolySwarm is (missing audio) and change how (missing audio) >> Okay. >> So, it is a blockchain project (missing audio) will govern tomorrow's threat-intelligence base and perhaps, ideally, generate better incentives (missing audio) >> Okay, so, generally if I'm understanding right, you're playing in this threat-intelligence area, which is commonly know as bug-bounties. Correct, yeah? But you guys have kind of taken this in a new direction. Why don't you just explain to me kind of where this threat-intelligence distributed economy has been and where where you see it going in the future. >> Sure, so bug bounties are, we had spoke earlier about HackerOne, for example. Bug bounties are an effort to identify vulnerabilities, and open vulnerability reports to arbitrary people across the internet. And incentivize people to secure products on behalf of the product owner. >> So, I can be an independent developer, and I find a vulnerability in something, and I submit it to one of these platforms, and then I get paid or rewarded for this. >> Yeah, and so the likes of HackerOne is a player in the space that conducts these bug bounties on behalf of other enterprises. >> Donald: Got it. >> Large enterprises such as Google and Microsoft and Apple, even, run their own bug bounties directly. >> Donald: Interesting. >> But, there's also these centralized middle men, the likes of HackerOne. Now, PolySwarm is a little bit different. We've discussed perhaps distributing the bug bounty space, but what we're focusing on right now at PolySwarm 1.0 is really just determining whether or not files, URLs, network graphics are either malicious or benign. >> Donald: Interesting. >> There's this boolean determination to start with, and then we're going to expand from there to metadata concerning, perhaps, the malware family of an identified malicious file. And then from there we'd also like to get into the bug bounty space. >> Okay. >> So, by PolySwarm being a fully decentralized market, us, as Swarm Technologies, will not be the middle man. We will not be in the middle of these transactions. We think that is going to make everything a bit more efficient for all the players on the market. And will best offer precision reward to be both accurate and timely in threat-intelligence. >> Interesting, okay, alright so I want to talk to you just a little bit more, because not everybody out there may be fully familiar with how a kind of decentralized app works. Talk to us a little bit about how blockchain fits in, how smart contracts fit in, and maybe just a little about, like, if I were to work on the PolySwarm platform, would I set up my own smart contract? Would somebody set it up for me? How would that work? >> Great question. So, in general, we see smart contracts as a new way to literally program a market. And I think this concept is applicable to a lot of different spaces. My background and the PolySwarm team background is in information (missing audio). >> Donald: Okay. >> So, we're applying smart contracts and market design specifically to a problem area that we are experts in. >> Okay, and what kind of smart contracts are these? What platform are you running on? >> We're running on Ethereum. We had previously discussed possibly expanding to Bezos, although there are perhaps some reasons not to do that anymore right now. But yeah, on Ethereum, we've been publishing our proof of concept code for our smart contracts right now which is available on github.com/polyswarm. More directly to your question concerning developing applications that plug into our platform or plug in to any platform, we've also released a opensource framework called Perigord. Which is a framework for developing Ethereum distributed applications using Go, which is a language developed by Google. So, I hope that answers a little bit, but >> So, you're really pioneering this whole world of moving to a decentralized, distributed app framework. >> Yeah, so, we're not the first people in this space, but we are expanding the ease of development to the Go language space, away from strictly programming in JavaScript. A lot distributed applications today are programmed in JavaScript. And there's pros and cons to each language, but we're hoping to get the Go language engaged a little more. >> So, let's go back now around to the people that are going to be participating in this marketplace, right. You were talking about unlocking the economic potential that's latent out there. Talk a little bit more about that. >> Exactly, so we had a spoken a little bit ago about HackerOne, and one of the things that I think is really cool about HackerOne is the fact that it's offered globally. What makes that really cool is that HackerOne gets a lot of great submissions from people in locales that may not indigenously offer sufficient jobs for the amount of talent that the local economies are producing. So, that's a sort of latent talent. HackerOne is particularly popular in India, China, Eastern European countries, we'd like to also direct that talent toward solving the threatened intelligence problem, namely accurately and timely identifying threats in files or graphic files. So, we'd like to-- We are operating in a eight and a half billion dollar per year space, the antivirus space, and we'd like to unlock this latent talent to broaden what threats are detected and how effectively enterprises defend themselves through a crowdsourced contributed manner that will cover more of the threats. >> Interesting, and so why don't you just talk a little about URLs and why those are important. We've seen a lot of hacks in the news recently, people going to sign up for a token sale and then being rerouted to the wrong place, et cetera. So, talk about malicious URLs. I think that might be an interest for people. >> Sure, everyone is trying to determine what URLs are malicious. Google has built into Chrome their safe browsing program that's also present in Firefox, Microsoft in some equivalent. Everyone's trying to determine and prevent people from being phished. You mentioned there were a few ICOs in this space that unfortunately had their websites hacked and their Ethereum contribution address changed, the hackers made off with some money. What PolySwarm does at a base level is it creates a market for security experts, again, around the world, to effectively put their money where their mouth is and say I think to the tune of 10 Nectar, for example, Nectar is the name of the PolySwarm note, that this URL or this file is malicious or benign. And those funds are escrowed directly into the smart contracts that constitute PolySwarm. And at a later time, the security experts who are right, receive the escrowed rewards from the security experts who were wrong. So, it's this feedback loop. >> It sounds like participants are kind of betting on both sides of whether something's malicious or not? >> Yeah, in effect. Legally, I definitely wouldn't say betting. (laughs) But it's >> Donald: Fair enough. >> The correct answer is there, right? The way that PolySwarm works is and enterprise has a suspect file or URL and decides to swarm it and what they do on the backend for that is they can either directly post this file or URL to the network, the network being the Ethereum blockchain. Everyone that's watching it and is cognizant of PolySwarm will be aware that there's a suspect file that perhaps I want to decide whether or not it's malicious as a security expert. Again, around the world, security experts will make that decision. If this is a particular file that I think I have insight into, as a security expert, then I might put up a certain amount of Nectar because I believe it is one way or the other. The reason why I say it's more of a-- The correct answer is in the file, right? It is in fact either malicious or benign. But what PolySwarm's economic reward is both timeliness and accuracy in determining that mal intent, whether or not that file is (missing audio). >> Interesting. And so the use of the smart contract is pretty novel here, right? Because the smart contracts then execute and distribute the bounties directly to the participants based on answer, is that right? >> That's correct. And that's the real key part. That eliminates the middle man in this space. A lot of the talk around blockchain in general is about restlessness, about not having middle men. In PolySwarm the core smart contract, again which are on github.com/polyswarm, they are able to actually hold escrowed upon. Though we're not in the middle and those escrowed funds are release to people who effectively get it right through the cost of people who got it wrong. So, we think >> And this is all automated through the system? >> This is all automated through the system. If I could take a step back real quick here, some of the shortcomings we're trying to address in today's market are if you imagine a Venn diagram, there's a rectangle that has all of the different threats in this space and you have large circles that cover portions of the Venn diagram and those large circles are today's large antivirus companies. Those circles overlap substantially. And the reason for that is pretty straight forward. Did you hear about perhaps WannaCry? It was a ransomware-- >> Absolutely, absolutely. >> If you're an antivirus company and you're not cognizant, you're not detecting WannaCry, then it's real easy to write you off. But the difficulty there is on the backend what that incentivizes is a lot of security companies doing duplicated work trying to detect the same threat. So there's a little bit of a clumpiness, there's a little bit of overlap, in what they detect and further it's very difficult although we've been speaking with people at those companies. They're always interested in the latest threat and uniquely detecting things, but it's sometimes very difficult to make Dell's argument that hey I detect this esoteric family of power >> Donald: Malicious URL, or et cetera. >> Exactly and by the way you're also going to get hit with it. That's a very difficult argument. >> So, you're sort of addressing the under served areas, then, within security. >> Precisely, so the way that PolySwarm will look in that Venn diagram, is instead of large, mostly overlapping ovals, we'll have thousands of micro-engines written by security experts that each find their specialty. And that together this crowdsourced intelligence will cover more. >> Interesting, very good, very good, okay. So, just last question here. Talk around a little bit of the background. How did PolySwarm come together? I know you talked about Narf Industries, et cetera. Why don't you just give us a little of the background here? 'Cause it's impressive. >> Sure, so again my background, and the entire PolySwarm technical team's background, is information security. We also run and work for a computer security consultancy called Narf Industries. Our more public work has been for DARPA, as of late. There was a large competition that DARPA ran called the "Cyber Grand Challenge" that was the-- they were trying to create the autonomous equivalent of a human capture the flag competition, which is a hacking competition. Anyway, we helped develop the challenges for that program and otherwise helped in that phase. So that's a public-facing project. >> And you won part of that competition, is that correct? >> Yeah, so we weren't competing in DARPA's Cyber Grand Challenge, but in the human capture the flags, we have won those. All the members of the core PolySwarm, and also Narf Industries, technical team have won DEF CON's capture the flag competition at least once. And some of us have helped run that competition. That's considered the world series of hacking (laughs). So, that's our background, and we're also all we've all previously worked directly for the U.S. government, so we're very much embedded in the cutting edge of cyber security. And, finally, the last thing I'll say, is Narf was recently awarded a contract with the Department of Homeland Security for investigating how to build confidentiality controls into a blockchain environment. The Department of Homeland Security was concerned about identity management. They wanted to apply a blockchain phase. But part of that, is obviously, you want to protect people's private information. So, how do you do that phase that, by default, is purely public. >> Got it, okay look we're going to have to end there, but let me just say, we would be remiss without mentioning the fact that your ICO's starting. When's that going to happen? >> So, we have an ICO that's going to go live February 6. Right now, we're just trying to generate buzz, talking to great people like yourself. After that lead up to the ICO, we'd like to encourage people to check out our website at polyswarm.io, we have a Telegram group that's growing everyday. And, again, a large part of what we would be funded by this ICO to accomplish is building the community around using PolySwarm. Fortunately, again, this is our space. So, we know a lot of people in this space, but we're always happy to be meeting people, so we'd love for all your viewers to join the conversation and engage with us. Our DMs on Twitter are open, et cetera. >> Okay, we hope they do. Probably just want to make one final point is that you guys are actually publishing all your code on GitHub ahead of the ICO, right? That kind of makes you unique in a very difficult space. >> It, unfortunately, does make us unique. I wish more projects did do that. But, yes, we are publishing our code in advance of the token sale. PolySwarm, if you're familiar with the conversation between securities and utility tokens, PolySwarm is very much a utility token. People will grade Nectar, which is the name of our Token, for threat intelligence. And part of that is we want to have a usable ecosystem on day one when people buy tokens. We want to make sure that you're not investing in some future thing. Obviously we're going to improve on it, but it will be usable from day one (missing audio). >> Alright, fantastic, so thank you, Paul. I appreciate you coming in. Alright, well thanks, everyone. Thank you for watching. This is Donald Klein with CUBE Conversations coming to you from Palo Alto, California. Thank you for watching. (digital music)

>>On the ground presented by the cube. Here's your host, John furrier. >>Hello everyone. Welcome to the cube on the ground here in Seattle, Washington, the IBM open compute architecture. Some of the day after Docker con. I'm John furrier, the host of the cube. We're here with Renee foster, who's the vice president of technical cloud at IBM. So the customer journey. What is the customer journey because there are many paths to the cloud, certainly open source collaboration, kicking the tires. How is the engagement with customers now changed? What is, what's it like? Take us through an example. >>Okay, well first I want to say it all starts with where the customer is coming into as you said, into the journey. And we have at IBM a cloud capability maturity model and what we do is we actually work with our clients and see do they know anything about a cloud today? And if they do then we go on that path with them in order to explain the technology, understand their use case scenarios. Right? Because you want to come from a solution perspective and not from a product or technology perspective where they are. What their problems are and then all the way to the end of the spectrum where customers have been on the cloud journey for some time and now what they would like to do is they have a multicloud environment. How can they bring that all together in an integrated and our operable, >>so the bigger customers, more advanced have multiple clouds, but the early ones can need to understand the use cases that fit for their business, the application environment. That's cool. Now I've got to ask this kind of a different question. Kind of going back to the client server days, it used to be a very simple formula. You do an audit, you get, you get paid for that, you do a strategy session, you do a POC, and then you go to production over months, maybe a year, depending on how big it is, not the cloud. They want stuff fast. Is it the same concept, that process or is there happening differently, faster? >>Absolutely. It's different and the reason why it's different back to your point is we're now more in an agile environment. Back to your point that customers are leveraging methodologies like scrum and what they would like to do is, you know, back to understanding the use case scenario, be able to come to the market faster. You've heard the terminology disruptive innovation, right? So they want to be able to create new markets or serve markets that they don't currently serve today, so they can't do it the way we've been doing it in the past. But what we found out is design is key. And so what we have done at IBM is we have a Bloomex garage where we have a design methodology and the customers can come in and actually bring in their applications, their ideas, and then we helped them develop that. >>I'm got to ask you, is it, is it, is it chaotic for customers? Because I can only imagine the industry is chaotic. Cloud technology fabric is changing rapidly. The industry formation is changing rapidly. What are some of the patterns that you're seeing that are common amongst all customers? I mean, is it chaotic? Is it much more of their learning? Is it more advanced? What? Can you share any anecdotal color around the patterns that you're seeing in the customer environment? >>Right. I would say that customers are now learning, the lessons learned are now coming now, right? Because they've actually evolved. They're not at the exculpatory, it's exploit exploratory kind of a phase in cloud anymore. So now what they're doing is they're saying, what are the lessons learned that we have? And what we find out is that customers, the sand security infrastructure networking infrastructure, they are just as important as the cloud use cases that designed this. >>We just were at DockerCon for two days and we interviewed for two straight days, wall to wall coverage. And one of the most interesting comments that I heard was from Scott Johnson, the COO of Docker. And I'm like, Oh, this application craze and dev ops has gone mainstream. That's so amazing. Now that we have to operate it now. So now dev ops success has changed it operations, right? And he goes, well, what's your thoughts? He goes, well, certainly no one's going to change their service level agreements. So you see ops now accepting the dev ops ethos, but yet the standards are so high for security and operational, SLS and running the business. Do you see that area? What's your thoughts on this? Because this seems to be a common thread that we're hearing. Okay, I'm sold on dev ops agile and now I've got to run it. What are the customers doing in this area? >>Well, what customers are really doing is they're looking for frameworks and they want to make sure that we look at security, if you will, from, you know, doing everything on the glass, right? Making sure that we have single sign on capabilities all the way to um, identify and grow vulnerabilities within a cloud environment. What are some of the risks and threats? And so they truly come into IBM and saying, let's share with you our concerns. And then we know you have a framework that you can address that. And back to your point, from a dev ops perspective, I mean, it looks at the entire application life cycle and that's why operations now is so entrenched in understanding that we are here to remove the right waste, make it more secure, and have governance around it. >>So final question. What do think about this open cloud architecture summit? What's this all about? Customers like it, they embracing it. Are they interested? >>Yes, yes, yes. All of the above. And I would say because, and back to your point at the beginning with some multicloud environment and customers want to know, I don't want them to lock in. They want to make sure that they remain open open standards and they want to make sure that they have like cloud brokerage. Uh, they want to make sure that as they develop their architectures that you know, they can actually have a platform, uh, you know, environments where they can, um, have that interoperability and it's going to be become more and more better and more and more efficient over time. Open winds, as we say, open source mainstream. Renee, thank you for sharing your insight. I'm John. We here on the ground in Seattle, Washington at the IBM open cloud architecture summit. Thanks for watching.