>> Announcer: Live from San Juan, Puerto Rico, it's theCUBE. Covering Blockchain Unbound, brought to you by Blockchain Industries. (upbeat samba music) >> Hey, everyone. Welcome back to our exclusive coverage in Puerto Rico for Blockchain Unbound Global Conference, where everyone from around the world is coming here. And the Blockchain cryptocurrency, a decentralized application market, changing the game, the future of work, future of government, the future of the world happening. The biggest wave in the tech generation we've seen in centuries. And I'm here in Puerto Rico at the Vanderbilt Hotel. Our next guest, Anthony Delgado, the CEO of Disrupt. We're got some real innovative projects around bringing his work and his vision to Puerto Rico. Anthony, thanks for spending the time. >> Thank you for having me. >> So, talk about your project. Tell me a bit about your project. For instance, you learn how to code. What's goin' on with that? You're doing it in New Jersey, in Newark schools there. Just take me in to explain what you're working on. >> Absolutely. So, back in January, I met a gentleman. His name was David, and he's from Puerto Rico, and he's lived in Puerto Rico for the last eight years, and he runs a tourism company. And when the hurricane happened, his for-profit company transformed into a non-profit. And the same trucks that he used to do tours, he start doing humanitarian work. And I met him at an app release party for a client of mine, and he looked me in my face and says, "Anthony, I'm doing to best work of my life." And I was like, "oh my God! "I'm not doing the best work of my life!" And so, we go to a diner, and I had the worst tuna fish sandwich that I've ever had in my life, but the best conversation. And we start brainstorming about how can we transform and help the people of Puerto Rico? So, the first problem is energy. Close to 50 percent of the island still does not have energy. In the capital, in the beautiful place we are now, power has been restored, but there are many cities that are still forgotten. So, me as the tech guy, I'm like, hey, we can do solar panels. Like, there's tons of sunshine in Puerto Rico, right? So, solar energy. And then the next thing he brought to my attention was that the entire economy is actually based on tourism. So, now, with the hurricane and all those things that are in the media, not only did people lose their jobs, ah, not only did people lose their homes, but they lost their job as well. So, we start brainstorming. We're like, okay, well, let's create a coding school to teach the digital skills that are needed, to the people in Puerto Rico. So, we're goin' back and forth, and he said, "Okay, that's a great idea, "but how are these kids going to pay for this school?" So, the concept that we've come up with is to combine education with vacation, and basically encourage people who are paying to go to school in New York City and encourage them to come to Puerto Rico, experience this beautiful island, learn how to code in the a.m. and have an amazing vacation in the p.m. And that's what we're building. So, we're building the Caribbean Institute of Technology, where we combine education with a vacation. >> So, Institute of Technology. We were talking before we came on camera that you were at the Institute of Technology, a school my two brothers went to. Great engineering school, renowned for it's program. You're doing work there there as well, so you're taking your mission of what you're doing there in New Jersey and bringing it to Puerto Rico. Sounds like you were really impacted by that conversation. As you're here in Puerto Rico, what's your assessment? Good call? Are you happy, and what's on your to-do list as you're down here? So, it's beautiful. I mean, I was here two weeks ago, and now I'm back for this global currency conference. I really feel like there's an unlimited amount of opportunity here in the island. It's the strongest internet, there's huge tax incentives if you start a new business here, and it's really a blank canvas. You know, the hurricane was a horrible atrocity that happened, but now we have this blank canvas to create a vision for Puerto Rico. So, we created a foundation. It's called Vision for PR. And the question that we're asking ourselves is: What would we do if we were creating a new city in America today? What would it look like? It would have solar energy. The power lines would be below ground instead of above ground, right? You know, the economy would be based on the digital economy and not tourism, right? So, we look at countries like Bali, we look at countries like India. We look at countries where they have this huge influx of currency that's getting generated from overseas. So, we really want to be part of the driving force that has Puerto Rico being the Hong Kong of the Caribbean. >> And it really is a clean sheet of paper, because certainly the hurricane puts a real awakening to the needs here. And now that you look at the infrastructure and how it needs to be revamped, this is an opportunity to lay down some fat pipes, high-speed internet, loop Blockchain, the Blockchain.edu chain project that they've got goin' on, http://educhain.io is interesting. The young people, they want more. I mean, that's my vibe here, I'd sense. Yet the old guard, they're scared. They want to preserve their culture, yet there's this huge incentive to move beyond tourism. This is an opportunity for Puerto Rico to be sovereign nation at a level that could go significantly higher-level than they are now. So, that's all great. What do you do? I mean, it seems like Brock Pierce is laying down his vision: come here, bring your cash, bring your community, do good. How is the playbook evolving? Because that's a question people want to know How do I come to Puerto Rico, do it right, not offend the culture, enable them, come together? What's your experience with the playbook? >> Absolutely. So, you know, technology and access to the internet, it democratizes the world. You know, now you're on a level playing field. If you have four G connectivity, and you're on an island, you can compete globally and be a part of the global economy. So, really the opportunity here - [Interviewer] Are you going to start a company here? >> Yeah, so we are starting the Caribbean Institute here in Puerto Rico. And um, yes, so we had this-- >> As a separate corporation? >> Separate corporation. So, we have a non-profit that runs in New Jersey called Newark Kids Code, where we teach kids to code, and we really want to take that model and teach people to code here in Puerto Rico as well. So we started a corporation, it's the Caribbean Institute of Technology-- [Interviewer] Is it going to be a virtual school? Is it going to put up a facility? >> No, no, it's in person. It's in person, so, we have the architect right now working on the renderings. I'd love to share those with you as well. >> Well, certainly, we'll publish them on our blog. But so you're going to put an actual location here. So this is your notion of having people take a vacation and work here. >> Yeah, so that's all well and good, but, like you mentioned, how does that help the people from Puerto Rico? So, what we've created is a scholarship program. So, for every single person from the United States or overseas that comes here to take our coding school, we sponsor someone from the island. >> It's like a fellowship. >> Yes. (Interviewer laughs) >> Alright, so what else are you working on? I see Disrupt is your company. Tell us a bit about you and what you do, and what's goin' on with Disrupt. >> Absolutely! So, Disrupt is a media agency based in New York City. And we focus on creating innovative products that change the world. So, we work with clients who have innovative products that are making a big impact. One of the products that we're working on is called True Connect. It's AI for sales people. And basically it syncs with your Google calendar and it gives you recommendations on ways to connect with your clients. So, it gives you a news feed of news stories, but it's not stories that you're personally interested in, it's stories that your clients would be interested in, so you have topics of conversation. >> It's kind of like a reversed Linked In. >> Yes. (Interviewer laughs) A reversed Linked In, absolutely. >> You also do some really important projects that matter to peoples' lives. Talk about the project that you're working on for the autism kids, that's really interesting. Take a moment to explain that. >> Absolutely. So, another one of our clients is Debbie Stone. She has a non-profit called Pop Earth. And it's basically a free school for kids with autism. So, based on that she's starting a IOT company called the Popu Lace. It's an IOT device, it's about the size of a quarter, and it has GPS, 4G connectivity, and it hooks into a student's shoelaces. There's a huge problem with kids with autism, if they wander off from school, they can get hit by a car, and they don't have the communication skills to get found again. So this device puts a geofence around their school-- >> Alzheimer's, there's a zillion use cases. So, geofencing a location, like Snapchat ads they do, but this is for a good reason, safety and impact to people's lives. >> Absolutely. >> Caregivers, too, they matter. >> Yeah, caregivers, people who go mountain climbing, hiking, all of these other use cases. Primarily focusing on children during the beginning, but yes, Alzeimer's, and hikers, and tons of uses for this. >> Great stuff. Congratulations, Anthony, great to have this conversation with you, really inspired. Good luck with the Puerto Rico opportunity, the Caribbean Institute of Technologies. Will it be on the Caribbean, Bahamas? We were just there for Poly Con. Other islands, start at Puerto Rico... >> Absolutely. So, we're actually open-sourcing the floor plan for the building that we're building. So, the building that we're building has solar energy. It's a green building. And we're open-sourcing that floor plan so that anyone in the Caribbeans, South America, anywhere in the world can adopt this model. >> It's the wee work for paying it forward. >> Absolutely. >> Well done, Anthony. Anthony Delgado, CEO of Disrupt, doing amazing work here, paying it forward, contributing here with the Caribbean Institute of Technology. I'm John Ferrier, in Puerto Rico for our on-the ground coverage of Blockchain Unbound. Be back with more. Thanks for watching. >> Thank you for having me.

>> Hey, welcome back everybody. Jeff Frigg here with theCUBE. We're at Data Privacy Day 2018 here at Linked-In's brand new, downtown San Francisco headquarters not in Sunny Vale. And we're excited to be here for the second time. And we've got Eve Maylar back she's a VP in innovation and emerging tech at Forge Rock, we caught up last year, so great to see you. >> Likewise. >> So what's different in 2018 than 2017? >> Well GDPR, the general data protection regulation Well, also we didn't talk about it much here today, but the payment services directive version two is on the lips of everybody in the EU who's in financial services, along with open banking, and all these regulations are actually as much about digital transformation, I've been starting to say hashtag digital transformation, as they are about regulating data protection and privacy, so that's big. >> So why aren't those other two being talked about here do you think? >> To a certain extent they are for the global banks and the multinational banks and they have as much impact on things like user consent as GDPR does, so that's a big thing. >> Jeff: Same penalties? >> They do have some penalties, but they are as much about, okay, I'm starting to say hashtag in front of all these cliches, but you know they are as much about trying to do the digital single market as GDPR is, so what they're trying to do is have a level playing field for all those players. So the way that GDPR is trying to make sure that all of the countries have the same kind of regulations to apply so that they can get to the business of doing business. >> Right, right, and so it's the same thing trying to have this kind of unified platform. >> Yup, absolutely, and so that affects companies here if they play in that market as well. >> So there's a lot of talk on this security site when you go to these security conferences about baking security in everywhere, right? It can't be OL guard anymore, there is no such thing as keeping the bad guys out, it's more all the places you need to bake in security, and so you're talking about that really needs to be on the privacy side as well, it needs to go hand-in-hand, not be counter to innovation. >> Yes, it is not a zero sum game, it should be a positive sum game in fact, GDPR would call it data protection by design and by default. And so, you have to bake it in, and I think the best way to bake it in is to see this as an opportunity to do better business with your customers, your consumers, your patients, your citizens, your students, and the way to do that is to actually go for a trust mark instead of, I shouldn't say a trust mark, but go for building trusted digital relationships with all those people instead of just saying "Well I'm going to go for compliance" and then say " Well I'm sorry if you didn't feel that action "on my part was correct" >> Well hopefully it's more successful than we've seen on the security side right? Because data breaches are happening constantly, no one is immune and I don't know, we're almost kind of getting immune to it. I mean Yahoo's it was their entire database of however many billions of people, and some will say it's not even when you get caught it's more about how you react, when you do get caught both from a PR perspective, as well as mending faith like the old Tylenol issue back in the day, so, on the privacy side do you expect that to be the same? Are these regulations in such a way where it's relatively easy to implement so we won't have kind of this never ending breach problem on the security side, or is it going to be kind of the same. >> I think I just made a face when you said easy, the word easy okay. >> Not easy but actually doable, 'cause sometimes it feels like some of the security stuff again on the breaches specifically, yeah it seems like it should be doable, but man oh man we just hear over and over again on the headlines that people are getting compromised. >> Yeah people are getting compromised and I think they are sort of getting immune to the stories when it's a security breach. We try to do at my company at Forge Rock we're identities so I have this identity lens that I see everything through, and I think especially in the internet of things which we've talked about in the past there's a recognition that digital identity is a way that you can start to attack security and privacy problems, because if you want to, for example, save off somebody's consent to let information about them flow, you need to have a persistent storage that they did consent, you need to have persistent storage of the information about them, and if they want to withdraw consent which is a thing like GDPR requires you to be able to do, and prove that they're able to do, you need to have a persistent storage of their digital identity. So identity is actually a solution to the problem, and what you want to do is have an identity and access management solution that actually reduces the friction to solving those problems so it's basically a way to have consent life cycle management if you will and have that solution be able to solve your problems of security and privacy. >> And to come at it from the identity point of view versus coming at it from the data point of view. >> That's right, and especially when it comes to internet of things, but not even just internet of things, you're starting to need to authenticate and identity everything; services, applications, piles of data, and smart devices, and people, and keep track of the relationships among them. >> We just like to say people are things too so you can always include the people in the IT conversation. But it is pretty interesting the identity task 'cause we see that more and more, security companies coming at the problem from an identity problem because now you can test the identity against applications, against data, against usage, change what's available, not available to them, versus trying to build that big wall. >> Yes, there's no perimeters anymore. >> Unless you go to China and walk the old great wall. >> Yes you're taking your burner devices with you aren't you? (laughs) >> Yes. >> Good, good to hear >> Yeah but it's a very different way to attack the problem from an identity point of view. >> Yeah, and one of the interesting things actually about PSD2 and this open banking mandate, and I was talking about they want to get digital business to be more attractive, is that they're demanding strong customer authentication, SCA they call it, and so I think we're going to see, I think we talked about passwords last time we met, less reliance. >> Jeff: And I still have them and I still can't remember them. >> Well you know, less reliance on passwords either is the only factor or sometimes a factor, and more sophisticated authentication that has less impact, well less negative impact on your life, and so I'm kind of hopeful that they're getting it, and these things are rolling up faster than GDPR, so I think those are kind of easier. They're aware of the API economy, they get it. They get all the standards that are needed. >> 'Cause the API especially when you get the thing to thing and you got multi steps and everything is depending on the connectivity upstream, you've got some significant issues if you throw a big wrench into there. But it's interesting to see how the two factor authentication is slowly working its way into more and more applications, and using a phone now without the old RSA key on the keychain, what a game changer that is. >> Yeah I think we're getting there. Nice to hear something's improving right? >> There you go. So as you look forward to 2018 what are some of your priorities, what are we going to be talking about a year from now do you think? >> Well I'm working on this really interesting project, this is in the UK, it has to do with Affintech, the UK has a mandate that it's calling the Pensions Dashboard Project, and I think that this has got a great analogy in the US, we have 401ks. They did a study there where they say the average person has 11 jobs over their lifetime and they leave behind some, what they call pension pots, so that would be like our 401ks, and this Pensions Dashboard Project is a way for people to find all of their left behind pension pots, and we talked last year about the technology that I've worked on called user managed access, UMA, which is a way where you can kind of have a standardized version of that Google Docs share button where you're in control of how much you share with somebody else, well they're using UMA to actually manage this pension finder service, so you give access first of all, to yourself, so you can get this aggregated dashboard view of all your pensions, and then you can share, one pension pot, you know one account, or more, with financial advisors selectively, and get advice on how to spend your newly found money. It's pretty awesome and it's an Affintech use case. >> How much unclaimed pension pot money, that must just be. >> In the country, in the UK, apparently it's billions upon billions, so imagine in the US, I mean it's probably a trillion dollars. I'm not sure, but it's a lot. We should do something here, I'm wondering how much money I have left behind. >> All right check your pension pot, that's the message from today's interview. All right Eve, well thanks for taking a few minutes, and again really interesting space and you guys are right at the forefront, so exciting times. >> It's a pleasure. >> All right she's Eve Maylar I'm Jeff Frigg you're watching theCUBE from Data Privacy Day 2018, thanks for watching, catch you next time. (upbeat music)

(screen switch sound) >> Hey, welcome back everybody. Jeff Frick here with theCUBE. We're at the place that you should be. Where is that you say? Linked-In's new downtown San Francisco's headquarters at Data Privacy Day 2018. It's a small, but growing event. Talking, really a lot about privacy. You know we talk a lot about security all the time. But privacy is this kind of other piece of security and ironically it's often security that's used as a tool to kind of knock privacy down. So it's an interesting relationship. We're really excited to be joined by our first guest Michelle Dennedy. We had her on last year, terrific conversation. She's the Chief Privacy Officer at Cisco and a keynote speaker here. Michelle, great to see you again. >> Great to see you and happy privacy day. >> Thank you, thank you. So it's been a year, what has kind of changed on the landscape from a year ago? >> Well, we have this little thing called GDPR. >> Jeff: That's right. >> You know, it's this little old thing the General Data Protection Regulation. It's been, it was enacted almost two years ago. It will be enforced May 25, 2018. So everyone's getting ready. It's not Y2K, it's the beginning of a whole new era in data. >> But the potential penalties, direct penalties. Y2K had a lot of indirect penalties if the computers went down that night. But this has significant potential financial penalties that are spelled out very clearly. Multiples of revenue. >> Absolutely >> So what are people doing? How are they getting ready? Obviously, the Y2k, great example. It was a scramble. No one really knew what was going to happen. So what are people doing to get ready for this? >> Yeah, I think its, I like the analogy it ends because January one, after 2000, we figured it out, right? Or it didn't happen because of our prep work. In this case, we have had 20 years of lead time. 1995, 1998, we had major pieces of legislation saying know thy data, know where it's going, value it and secure it, and make sure your users know where and what it is. We didn't do a whole lot about it. There are niche market people, like myself, who said "Oh my gosh, this is really important." but now the rest of the world has to wake up and pay attention because four percent of global turnover is not chump change in a multi-billion dollar business and in a small business it could be the only available revenue stream that you wanted to spend innovating-- >> Right, right >> rather than recovering. >> But the difficulty again, as we've talked about before is not as much the companies. I mean obviously the companies have a fiduciary responsibility. But the people-- >> Yes. >> On the end of the data, will hit the ULA as we talked about before without thinking about it. They're walking around sharing all this information. They're logging in to public WiFi's and we actually even just got a note at theCube the other day asking us what our impact, are we getting personal information when we're filming stuff that's going out live over the internet. So I think this is a kind of weird implication. >> I wish I could like feel sad for that but there's a part of my privacy soul that's like, "Yes! People should be asking. "What are you doing with my image after this? "How will you repurpose this video? "Who are my users looking at it?" I actually, I think it's difficult at first to get started. But once you know how to do it, it's like being a nutritionist and a chef all in one. Think about the days before nutrition labels for food. When it was first required, and very high penalties of the same quanta of the GDPR and some of these other Asiatic countries are the same, people simply didn't know what they were eating. >> Right. >> People couldn't take care of their health and look for gluten free, or vitamin E, or vitamin A, or omega whatever. Now, it's a differentiator. Now to get there, people had to test food. They had to understand sources. They had to look at organics and pesticides and say, "This is something that the populace wants." And look at the innovation and even something as basic and integral to your humanity as food now we're looking at what is the story that we're sharing with one another and can we put the same effort in to get the same benefits out. Putting together a nutrition label for your data, understanding the mechanisms, understanding the life cycle flow. It's everything and is it a pain in the tuckus some times? You betcha. Why do it? A: You're going to get punished if you don't. But more importantly, B: It's the gateway to innovation. >> Right. It's just funny. We talked to a gal in a security show and she's got 100% hit rate. She did this at Black Hat, social engineering access to anything. Basically by calling, being a sweetheart, asking the right questions and getting access to people's-- >> Exactly. >> So where does that fit in terms of the company responsibility, when they are putting everything, as much as they can in their place. Here like at AWS too you'll hear, "Somebody has a security breach at AWS." Well it wasn't the security of the AWS system, it was somebody didn't hit a toggle switch in the right position. >> That's right. >> So it's pretty complex versus if you're a food manufacturer, hopefully you have pretty good controls as to what you put in the food and then you can come back and define. So it's a really complicated problem when it's the users who you're tryna protect that are often the people that are causing the most problems. >> Absolutely. And every analogy has its failures right? >> Right, right. >> We'll stick with food for a while. >> Oh no I like the food one. >> Alright it's something you can understand. >> Y2K is kind of old, right. >> Yeah, yeah. But think about like, have we made, I was going to use a brand name, a spray on cheese chip, have we made that illegal? That stuff is terrible for your body. We have an obesity crisis here in North America certainly, and other parts of the world, and yet we let people choose what they're putting into their bodies. At the same time we're educating consumers about what the new food chart should look like, we're listening to maybe sugar isn't as good as we thought it was, maybe fat isn't as bad. So giving people some modicum of control doesn't mean that people are always going to make the right choices but at least we give them a running chance by being able to test and separate and be accountable for at least what we put into the ingredients. >> Right, right, okay so what are some of the things you're working on at Cisco? I think you said before we go on the air you have a new report published, study, what's going on? I do, I'm ashamed Jeff to be so excited about data but, I'm excited about data. (laughter) >> Everybody's excited about data. >> Are they? >> Absolutely. >> Alright let's geek out for a moment. >> So what did you find out? >> So we actually did the first metrics reporting correlating data privacy maturity models and asking customers, 3,000 customers plus in 20 different countries from companies of all sizes S and B's to very large corps, are you experiencing a slow down based on the fears of privacy and security problems? We found that 68 percent of these questions said yes indeed we are, and we asked them what is the average timing of slowing down closing business based on these fears. We found a big spread from over 16 and a half weeks all the way down to two weeks. We said that's interesting. We asked that same set of customers, where would you put yourself on a zero to five ad hoc to optimized privacy maturity model. What we found was if you were even middle of the road a three or a four, to having some awareness, having some basic tools, you can lower your risk of loss, by up to 70 percent. I'm making it sound like it's causation, it's just a correlation but it was such a strong one that when we ran the data last year I didn't run the report, because we weren't sure enough. So we ran it again and got the same quantum with a larger sample size. So now I feel pretty confident that the self reporting of data maturity is related to closing business more efficiently and faster on the up side and limiting your losses on the down side. >> Right, so where are the holes? What's the easiest way to get from a zero or one to a three or a four, I don't even want to say three or four, two or three in terms of behaviors, actions, things that people do? >> So you're scratching on my geeky legal underbelly here. (laughter) I'm going to say it depends Jeff. >> Of course of course. >> Couching this and I'm not your lawyer. >> No forward licking statements. >> No forward licking statement. Well, for a reason what the heck. We're looking forward not back. It really does depend on your organization. So, Cisco, my company we are known for engineering. In fact on the down side of our brand, we're known for having trouble letting go until everything is perfect. So, sometimes it's slower than you want cause we want to be so perfect. In that culture my coming into the engineering with their bonafides and their pride in their brand, that's where I start to attack with privacy engineering education, and looking at specs and requirements for the products and services. So hitting my company where it lives in engineering was a great place to start to build in maturity. In a company like a large telco or healthcare or highly regulated industry, come from the legal aspect. Start with compliance if that's what is effective for your organization. >> Right, right. >> So look at where you are in your organization and then hit it there first, and then you can fill up, document those policies, make sure training is fun. Don't be afraid to embarrass yourself. It's kind of my mantra these days. Be a storyteller, make it personal to your employees and your customers, and actually care. >> Right, hopefully, hopefully. >> It's a weird thing to say right, you actually should give a beep >> Have a relationship with people. When you look at how companies moved that curve from last year to this year was it a significant movement? Was it more than you thought less than you thought? Is it appropriate for what's coming up? >> We haven't tracked individual companies time after time cause it's double blind study. So it's survey data. The survey numbers are statistically relevant. That when you have a greater level of less ad hoc and more routinized systems, more privacy policies that are stated and transparent, more tools and technologies that are implemented, measured, tested, and more board level engagement you start to see that even if you have a cyber risk the chances that it's over 500 thousand per event goes down precipitously. If you are at that kind of mid range level of maturity you can take off 70 percent of the lag time and go from about four months of closing a deal that has privacy and security implications to somewhere around two to three weeks. That's a lot of time. Time in business is everything. We run by the quarter. >> Yeah well if you don't sell it today, you never get today back. You might sell it tomorrow, but you never get today back. Alright so we just flipped the calendar. I can't believe it's 2018. That's a whole different conversation. (laughter) What are your priorities for 2018 as you look forward? >> Oh my gosh. I am hungry for privacy engineering to become a non niche topic. We're going out to universities. We're going out to high schools. We're doing innovation challenges within Cisco to make innovating around data a competitive advantage for everyone, and come up with a common language. So that if you're a user interface guy you're thinking about data control and the stories that you're telling about what the real value is behind your thing. If you are a compliance guy or girl, how do I efficiently measure? How do I come back again in three months without having compliance fatigue, because after the first couple days of enforcement of GDPR and some of these other laws come into force it's really easy to say whew, it didn't hit me. I've got no problem now. >> Right. >> That is not the attitude I want people to take. I want them to take real ownership over this information. >> It's very ana logist to what's happening in security. >> Very much so. >> Just baking it in all the way. It's not a walled garden. You can't defend the perimeter anymore, but it's got to be baked into everything. >> It's no mistake that it's like the security world. They're about 25 years ahead of us in data privacy and protection. My boss is our chief trust officer who formally was our CISO I am absolutely free riding on all the progresses the security people have made. We're just really complimenting each others skills, and getting out into other parts of the business in addition to the technical part of the business. >> Exciting times. >> Yeah, it's going to be fun. >> Well great to catch up and >> Yeah you too. >> We'll let you go. Unfortunately we're out of time. We'll see you in 2019. >> Data Privacy Day. >> Data Privacy Day. She's Michelle Dennedy, I'm Jeff Frank. You're watching theCUBE. Thanks for tuning in from Data Privacy Day 2018. (music)

>> Announcer: Live from Orlando, Florida. It's the CUBE. Covering Grace Hopper Celebration of Women in Computing. Brought to you by Silicon Angle Media. >> Welcome back everybody. Jeff Frick here with the Cube. We are winding down day three of the Grace Hopper Celebration of Women in Computing in Orlando. It's 18,000, mainly women, a couple of us men hangin' out. It's been a phenomenal event again. It always amazes me to run into first timers that have never been to the Grace Hopper event. It's a must do if you're in this business and I strongly encourage you to sign up quickly 'cause I think it sells out in about 15 minutes, like a good rock concert. But we're excited to have our next guest. She's Rachel Faber Tobac, UX Research at Course Hero. Rachel, great to see you. >> Thank you so much for having me on. >> Absolutely. So, Course Hero. Give people kind of an overview of what Course Hero is all about. >> Yup. So we are an online learning platform and we help about 200 million students and educators master their classes every year. So we have all the notes, >> 200 million. >> Yes, 200 million! We have all the notes, study guides, resources, anything a student would need to succeed in their classes. And then anything an educator would need to prepare for their classes or connect with their students. >> And what ages of students? What kind of grades? >> They're usually in college, but sometimes we help high schoolers, like AP students. >> Okay. >> Yeah. >> But that's not why you're here. You want to talk about hacking. So you are, what you call a "white hat hacker". >> White hat. >> So for people that aren't familiar with the white hat, >> Yeah. >> We all know about the black hat conference. What is a white hat hacker. >> So a "white hat hacker" is somebody >> Sounds hard to say three times fast. >> I know, it's a tongue twister. A white hat hacker is somebody who is a hacker, but they're doing it to help people. They're trying to make sure that information is kept safer rather than kind of letting it all out on the internet. >> Right, right. Like the old secret shoppers that we used to have back in the pre-internet days. >> Exactly. Exactly. >> So how did you get into that? >> It's a very non-linear story. Are you ready for it? >> Yeah. >> So I started my career as a special education teacher. And I was working with students with special needs. And I wanted to help more people. So, I ended up joining Course Hero. And I was able to help more people at scale, which was awesome. But I was interested in kind of more of the technical side, but I wasn't technical. So my husband went to Defcon. 'cause he's a cyber security researcher. And he calls me at Defcon about three years ago, and he's like, Rach, you have to get over here. I'm like, I'm not really technical. It's all going to go over my head. Why would I come? He's like, you know how you always call companies to try and get our bills lowered? Like calling Comcast. Well they have this competition where they put people in a glass booth and they try and have them do that, but it's hacking companies. You have to get over here and try it. So I bought a ticket to Vegas that night and I ended up doing the white hat hacker competition called The Social Engineering Capture the Flag and I ended up winning second, twice in a row as a newb. So, insane. >> So you're hacking, if I get this right, not via kind of hardcore command line assault. You're using other tools. So like, what are some of the tools that are vulnerabilities that people would never think about. >> So the biggest tool that I use is actually Instagram, which is really scary. 60% of the information that I need to hack a company, I find on Instagram via geolocation. So people are taking pictures of their computers, their work stations. I can get their browser, their version information and then I can help infiltrate that company by calling them over the phone. It's called vishing. So I'll call them and try and get them to go to a malicious link over the phone and if I can do that, I can own their company, by kind of presenting as an insider and getting in that way. (chuckling) It's terrifying. >> So we know phishing right? I keep wanting to get the million dollars from the guy in Africa that keeps offering it to me. >> (snickers) Right. >> I don't whether to bite on that or. >> Don't click the link. >> Don't click the link. >> No. >> But that interesting. So people taking selfies in the office and you can just get a piece of the browser data and the background of that information. >> Yep. >> And that gives you what you need to do. >> Yeah, so I'll find a phone number from somebody. Maybe they take a picture of their business card, right? I'll call that number. Test it to see if it works. And then if it does, I'll call them in that glass booth in front of 400 people and attempt to get them to go to malicious links over the phone to own their company or I can try and get more information about their work station, so we could, quote unquote, tailor an exploit for their software. >> Right. Right. >> We're not actually doing this, right? We're white hat hackers. >> Right. >> If we were the bad guys. >> You'd try to expose the vulnerability. >> Right. The risk. >> And what is your best ruse to get 'em to. Who are you representing yourself as? >> Yeah, so. The representation thing is called pre-texting. It's who you're pretending to be. If you've ever watched like, Catch Me If You Can. >> Right. Right. >> With Frank Abagnale Jr. So for me, the thing that works the best are low status pretext. So as a woman, I would kind of use what we understand about society to kind of exploit that. So you know, right now if I'm a woman and I call you and I'm like, I don't know how to trouble shoot your website. I'm so confused. I have to give a talk, it's in five minutes. Can you just try my link and see if it works on your end? (chuckling) >> You know? Right? You know, you believe that. >> That's brutal. >> Because there's things about our society that help you understand and believe what I'm trying to say. >> Right, right. >> Right? >> That's crazy and so. >> Yeah. >> Do you get, do you make money white hacking for companies? >> So. >> Do they pay you to do this or? Or is it like, part of the service or? >> It didn't start that way. >> Right. >> I started off just doing the Social Engineering Capture the Flag, the SECTF at Defcon. And I've done that two years in a row, but recently, my husband, Evan and I, co-founded a company, Social Proof Security. So we work with companies to train them about how social media can impact them from a social engineering risk perspective. >> Right. >> And so we can come in and help them and train them and understand, you know, via a webinar, 10 minute talk or we can do a deep dive and have them actually step into the shoes of a hacker and try it out themselves. >> Well I just thought the only danger was they know I'm here so they're going to go steal my bike out of my house, 'cause that's on the West Coast. I'm just curious and you may not have a perspective. >> Yeah. >> 'Cause you have niche that you execute, but between say, you know kind of what you're doing, social engineering. >> Yeah. >> You know, front door. >> God, on the telephone. Versus kind of more traditional phishing, you know, please click here. Million dollars if you'll click here versus, you know, what I would think was more hardcore command line. People are really goin' in. I mean do you have any sense for what kind of the distribution of that is, in terms of what people are going after? >> Right, we don't know exactly because usually that information's pretty confidential, >> Sure. when a hack happens. But we guess that about 90% of infiltrations start with either a phishing email or a vishing call. So they're trying to gain information so they can tailor their exploits for your specific machine. And then they'll go in and they'll do that like actual, you know, >> Right. >> technical hacking. >> Right. >> But, I mean, if I'm vishing you right and I'm talking to you over the phone and I get you to go to a malicious link, I can just kind of bypass every security protocol you've set up. I don't even a technical hacker, right? I just got into your computer because. >> 'Cause you're in 'Cause I'm in now, yup. >> I had the other kind of low profile way and I used to hear is, you know, you go after the person that's doin' the company picnic. You know Wordpress site. >> Yes. >> That's not thinking that that's an entry point in. You know, kind of these less obvious access points. >> Right. That's something that I talk about a lot actually is sometimes we go after mundane information. Something like, what pest service provider you use? Or what janitorial service you use? We're not even going to look for like, software on your machine. We might start with a softer target. So if I know what pest extermination provider you use, I can look them up on LinkedIn. See if they've tagged themselves in pictures in your office and now I can understand how do they work with you, what do their visitor badges look like. And then emulate all of that for an onsite attack. Something like, you know, really soft, right? >> So you're sitting in the key note, right? >> Yeah. >> Fei-Fei Li is talking about computer visualization learning. >> Right. >> And you know, Google running kagillions of pictures through an AI tool to be able to recognize the puppy from the blueberry muffin. >> Right. >> Um, I mean, that just represents ridiculous exploitation opportunity at scale. Even you know, >> Yeah. >> You kind of hackin' around the Instagram account, can't even begin to touch, as you said, your other thing. >> Right. >> You did and then you did it at scale. Now the same opportunity here. Both for bad and for good. >> I'm sure AI is going to impact social engineering pretty extremely in the future here. Hopefully they're protecting that data. >> Okay so, give a little plug so they'll look you up and get some more information. But what are just some of the really easy, basic steps that you find people just miss, that should just be, they should not be missing. From these basic things. >> The first thing is that if they want to take a picture at work, like a #TBT, right? It's their third year anniversary at their company. >> Right. Right. >> Step away from your work station. You don't need to take that picture in front of your computer. Because if you do, I'm going to see that little bottom line at the bottom and I'm going to see exactly the browser version, OS and everything like that. Now I'm able to exploit you with that information. So step away when you take your pictures. And if you do happen to take a picture on your computer. I know you're looking at computer nervously. >> I know, I'm like, don't turn my computer on to the cameras. >> Don't look at it! >> You're scarin' me Rachel. >> If you do take a picture of that. Then you don't want let someone authenticate with that information. So let's say I'm calling you and I'm like, hey, I'm with Google Chrome. I know that you use Google Chrome for your service provider. Has your network been slow recently? Everyone's network's been slow recently, right? >> Right. Right. >> So of course you're going to say yes. Don't let someone authenticate with that info. Think to yourself. Oh wait, I posted a picture of my work station recently. I'm not going to let them authenticate and I'm going to hang up. >> Interesting. All right Rachel. Well, I think the opportunity in learning is one thing. The opportunity in this other field is infinite. >> Yeah. >> So thanks for sharing a couple of tips. >> Yes. >> And um. >> Thank you for having me. >> Hopefully we'll keep you on the good side. We won't let you go to the dark side. >> I won't. I promise. >> All right. >> Rachel Faber Tobac and I'm Jeff Frick. You're watchin the Cube from Grace Hopper Celebration Women in Computing. Thanks for watching. (techno music)