>>Hello everyone and welcome back to Las Vegas. I've got my jazz hands because I am very jazzed to be here at AWS Reinvent Live from the show floor all week. My name is Savannah Peterson, joined with the infamous John Farer. John, how you feeling >>After feeling great? Love? What's going on here? The vibe is a cloud, cloud native. Lot of security conversation, data, stuff we love Cloud Native, >>M I >>A L, I mean big news. Security, security, data lake. I mean, who would've thought Amazon have a security data lake? You know, e k s, I mean >>You might have with that tweet you had out >>Inside outside the containers. Reminds me, it feels like coan here. >>It honestly, and there's a lot of overlap and it's interesting that you mention CubeCon because we talked to the next company when we were in Detroit just a couple weeks ago. Teleport E is the CEO and founder F Welcome to the show. How you doing? >>I'm doing well. Thank you for having me today. >>We feel very lucky to have you. We hosted Drew who works on the product marketing side of Teleport. Yeah, we got to talk caddies and golf last time on the show. We'll talk about some of your hobbies a little bit later, but just in case someone's tuning in, unfamiliar with Teleport, you're all about identity. Give us a little bit of a pitch, >>Little bit of our pitch. Teleport is the first identity native infrastructure access platform. It's used by engineers and it's used by machines. So notice that I used very specific choice of words first identity native, what does it mean? Identity native? It consists of three things and we're writing a book about those, but I'll let you know. Stay >>Tuned on that front. >>Exactly, yes, but I can talk about 'em today. So the first component of identity, native access is moving away from secrets towards true identity. The secrets, I mean things like passwords, private keys, browser cookies, session tokens, API keys, all of these things is secrets and they make you vulnerable. The point is, as you scale, it's absolutely impossible to protect all of the seekers because they keep growing and multiplying. So the probability of you getting hacked over time is high. So you need to get rid of secrets altogether that that's the first thing that we do. We use something called True Identity. It's a combination of your biometrics as well as identity of your machines. That's tpms, HSMs, Ubikes and so on, so forth. >>Go >>Ahead. The second component is Zero Trust. Like Teleport is built to not trust the network. So every resource inside of your data center automatically gets configured as if there is no perimeter it, it's as safe as it was on the public network. So that's the second thing. Don't trust the network. And the third one is that we keep access policy in one place. So Kubernetes clusters, databases on stage, rdp, all of these protocols, the access policy will be in one place. That's identity. Okay, >>So I'm, I'm a hacker. Pretend I'm a hacker. >>Easy. That sounds, >>That sounds really good to me. Yeah, I'm supposed to tell 'em you're hacker. Okay. I can go to one place and hack that. >>I get this question a lot. The thing is, you want centralization when it comes to security, think about your house being your AWS account. Okay? Everything inside your furniture, your valuable, like you'll watch collection, like that's your data, that's your servers, paper clusters, so and so forth. Right Now I have a choice and your house is in a really bad neighborhood. Okay, that's the bad internet. Do you wanna have 20 different doors or do you want to have one? But like amazing one, extremely secure, very modern. So it's very easy for you to actually maintain it and enforce policy. So the answer is, oh, you probably need to have >>One. And so you're designing security identity from a perspective of what's best for the security posture. Exactly. Sounds like, okay, so now that's not against the conventional wisdom of the perimeter's dead, the cloud's everywhere. So in a way kind of brings perimeter concepts into the posture because you know, the old model of the firewall, the moat >>It Yeah. Just doesn't scale. >>It doesn't scale. You guys bring the different solution. How do you fit into the new perimeters dead cloud paradigm? >>So the, the way it works that if you are, if you are using Teleport to access your infrastructure, let's just use for example, like a server access perspective. Like that machine that you're accessing doesn't listen on a network if it runs in Teleport. So instead Teleport creates this trusted outbound tunnels to the proxy. So essentially you are managing devices using out going connection. It's kind of like how your phone runs. Yeah. Like your phone is actually ultimate, it's like a teleport like, like I It's >>Like teleporting into your environment. >>Yeah, well play >>Journal. But >>Think about actually like one example of an amazing company that's true Zero trust that we're all familiar with would be Apple. Because every time you get a new iOS on your phone, the how is it different from Apple running massive software deployment into enormous cloud with billions of servers sprinkle all over the world without perimeter. How is it possible That's exactly the kind of technology that Teleports >>Gives you. I'm glad you clarified. I really wanted to get that out on the table. Cuz Savannah, this is, this is the paradigm shift around what an environment is Exactly. Did the Apple example, so, okay, tell 'em about customer traction. Are people like getting it right away? Are their teams ready? Are they go, oh my god this is >>Great. Pretty much you see we kinda lucky like in a, in a, like in this business and I'm walking around looking at all these successful startups, like every single one of them has a story about launching the right thing at just the right like moment. Like in technology, like the window to launch something is extremely short. Like months. I'm literally talking months. So we built Teleport started to work on it in like 2015. It was internal project, I believe it or not, also a famous example. It's really popular like internal project, put it on GitHub and it sat there relatively unnoticed for a while and then it just like took off around 2000 >>Because people start to feel the pain. They needed it. Exactly, >>Exactly. >>Yeah. The timing. Well and And what a great way to figure out when the timing is right? When you do something like that, put it on GitHub. Yeah. >>People >>Tell you what's up >>Yeah's Like a basketball player who can just like be suspended in the air over the hoop for like half the game and then finally his score and wins >>The game. Or video gamer who's lagged, everyone else is lagging and they got the latency thing. Exactly. Thing air. Okay. Talk about the engineering side. Cause I, I like this at co con, you mentioned it at the opening of this segment that you guys are for engineers, not it >>Business people. That's right. >>Explain that. Interesting. This is super important. Explain why and why that's resonating. >>So there is this ongoing shift on more and more responsibilities going to engineers. Like remember back in the day before we even had clouds, we had people actually racking servers, sticking cables into them, cutting their fingers, like trying to get 'em in. So those were not engineers, they were different teams. Yeah. But then you had system administrators who would maintain these machines for you. Now all of these things are done with code. And when these things are done with code and with APIs, that shifts to engineers. That is what Teleport does with policy. So if you want to have a set of rules that govern who or what and when under what circumstances can access what data like on Kubernetes, on databases, on, on servers wouldn't be nice to use code for it. So then you could use like a version control and you can keep track of changes. That's what teleport enables. Traditionally it preferred more kind of clicky graphical things like clicking buttons. And so it's just a different world, different way of doing it. So essentially if you want security as code, that's what Teleport provides and naturally this language resonates with this persona. >>Love that. Security is coding. It's >>A great term. Yeah. Love it. I wanna, I wanna, >>Okay. We coined it, someone else uses it on the show. >>We borrow it >>To use credit. When did you, when did you coin that? Just now? >>No, >>I think I coined it before >>You wanted it to be a scoop. I love that. >>I wish I had this story when I, I was like a, like a poor little 14 year old kid was dreaming about security code but >>Well Dave Ante will testify that I coined data as code before anyone else but it got 10 years ago. You >>Didn't hear it this morning. Jimmy actually brought it back up. Aws, you're about startups and he's >>Whoever came up with lisp programming language that had this concept that data and code are exact same thing, >>Right? We could debate nerd lexicon all day on the cube. In fact, that could even be a segment first >>Of we do. First of all, the fact that Lisp came up on the cube is actually a milestone because Lisp is a very popular language for object-oriented >>Grandfather of everything. >>Yes, yes, grandfather. Good, good. Good catch there. Yeah, well done. >>All right. I'm gonna bring us back. I wanna ask you a question >>Talking about nerd this LIS is really >>No, I think it's great. You know how nerdy we can get here though. I mean we can just hang out in the weeds the whole time. All right. I wanna ask you a question that I asked Drew when we were in Detroit just because I think for some folks and especially the audience, they may not have as distinctive a definition as y'all do. How do you define identity? >>Oh, that's a great question. So identity as a term was, it was always used for security purposes. But most people probably use identity in the context of single signon sso. Meaning that if your company uses identity for access, which instead of having each application have an account for you, like a data entry with your first name, last name emails and your role. Yeah. You instead have a central database, let's say Okta or something like that. Yep. And then you, you use that to access everything that's kind of identity based access because there is a single source of identity. What we say is that we, that needs to be extended because it it no longer enough because that identity can be stolen. So if someone gets access to your Okta account using your credentials, then they can become you. So in order for identity to be attached to you and become your true identity, you have to rely on physical world objects. That's biometrics your facial fingerprint, like your facial print, your fingerprints as well as biometric of your machine. Like your laptops have PPM modules on it. They're absolutely unique. They cannot be cloned stolen. So that is your identity as well. So if you combine whatever is in Octa with the biker chip in this laptop and with your finger that collectively is your true identity, which cannot be stolen. So it's can't be hacked. >>And someone can take my finger like they did in the movies. >>So they would have to do that. And they would also have to They'd >>Steal your match. Exactly, exactly. Yeah. And they'd have to have your eyes >>And they have to, and you have >>Whatever the figure that far, they meant what >>They want. So that is what Drew identity is from telecom and >>Biometric. I mean it's, we're so there right now it's, it's really not an issue. It's only getting faster and better to >>Market. There is one important thing I said earlier that I want to go back to that I said that teleport is not just for engineers, it's also for machines. Cuz machines they also need the identity. So when we talk about access silos and that there are many different doors into your apartment, there are many different ways to access your data. So on the infrastructure side, machines are doing more and more. So we are offloading more and more tasks to them. That's a really good, what do machines use to access each other? Biome? They use API keys, they use private keys, they use basically passwords. Yeah. Like they're secrets and we already know that that's bad, right? Yeah. So how do you extend biometrics to machines? So this is why AWS offers cloud HSM service. HSM is secure hardware security module. That's a unique private key for the machine that is not accessible by anyone. And Teleport uses that to give identities to machines. Does do >>Customers have to enable that themselves or they have that part of a Amazon, the that >>Special. So it's available on aws. It's available actually in good old, like old bare metal machines that have HSMs on them on the motherboard. And it's optional by the way Teleport can work even if you don't have that capability. But the point is that we tried, you >>Have a biometric equivalent for the machines with >>Take advantage of it. Yeah. It's a hardware thing that you have to have and we all have it. Amazon sells it. AWS sells it to us. Yeah. And Teleport allows you to leverage that to enhance security of the infrastructure. >>So that classic hardware software play on that we're always talking about here on the cube. It's all, it's all important. I think this is really fascinating though. So I had an on the way to the show, I just enrolled in Clear and I had used a different email. I enrolled for the second time and my eyes wouldn't let me have two accounts. And this was the first time I had tried to sort of hack my own digital identity. And the girl, I think she was humoring me that was, was kindly helping me, the clear employee. But I think she could tell I was trying to mess with it and I wanted to see what would happen. I wanted to see if I could have two different accounts linked to my biometric data and I couldn't it, it picked it up right away. >>That's your true >>Identity. Yeah, my true identity. So, and forgive me cuz this is kind of just a personal question. It might be a little bit finger finger to the wind, but how, just how much more secure if you could, if you could give us a, a rating or a percentage or a a number. How much more secure is leveraging biometric data for identity than the secrets we've been using historically? >>Look, I could, I played this game with you and I can answer like infinitely more secure, right? Like but you know how security works that it all depends on implementation. So let's say you, you can deploy teleport, you can put us on your infrastructure, but if you're running, let's say like a compromised old copy of WordPress that has vulnerability, you're gonna get a hack through that angle. But >>Happens happens to my personal website all the time. You just touched Yeah, >>But the fact is that we, I I don't see how your credentials will be stolen in this system simply because your TPM on your laptop and your fingerprint, they cannot be downloaded. They like a lot of people actually ask us a slightly different question. It's almost the opposite of it. Like how can I trust you with my biometrics? When I use my fingerprint? That's my information. I don't want the company I work at to get my fingerprint people. I think it's a legit question to ask. >>Yeah. And it's >>What you, the answer to that question is your fingerprint doesn't really leave your laptop teleport doesn't see your fingerprint. What happens is when your fingerprint gets validated, it's it's your laptop is matching what's on the tpm. Basically Apple does it and then Apple simply tells teleport, yep that's F or whoever. And that's what we are really using. So when you are using this form authentication, you're not sharing your biometric with the company you work at. >>It's a machine to human confirmation first and >>Then it's it. It's basically you and the laptop agreeing that my fingerprint matches your TPM and if your laptop agrees, it's basically hardware does validation. So, and teleport simply gets that signal. >>So Ed, my final question for you is here at the show coupon, great conversations there for your company. What's your conversations here like at reinvent? Are you meeting with Amazon people, customers? What are some of the conversations? Because this is a much broader, I mean it's still technical. Yep. But you know, a lot of business kind of discussions, architectural refactoring of organizations. What are some of the things that you're talking about here with Telepo? What are, >>So I will mention maybe two trends I observed. The first one is not even security related. It's basically how like as a cloud becomes more mature, people now actually at different organizations develop their own internal ways of doing cloud properly. And they're not the same. Because when cloud was earlier, like there were this like best practices that everyone was trying to follow and there was like, there was just a maybe lack of expertise in the world and and now finding that different organizations just do things completely different. Like one, like for example, yeah, like some companies love having handful, ideally just one enormous Kubernetes cluster with a bunch of applications on it. And the other companies, they create Kubernetes clusters for different workloads and it's just like all over the map and both of them are believed that they're doing it properly. >>Great example of bringing in, that's Kubernetes with the complexity. And >>That's kind of one trend I'm noticing. And the second one is security related. Is that everyone is struggling with the access silos is that ideally every organization is dreaming about a day, but they have like one place which is which with great user experience that simply spells out this is what policy is to access this particular data. And it gets a automatically enforced by every single cloud provider, but every single application, but every single protocol, but every single resource. But we don't have that unfortunately Teleport is slowly becoming that, of course. Excuse me for plugging >>TelePro. No, no worries. >>But it is this ongoing theme that everyone is can't wait to have that single source of truth for accessing their data. >>The second person to say single source of truth on this stage in the last 24 >>Hours or nerds will love that. I >>Know I feel well, but it's all, it all comes back to that. I keep using this tab analogy, but we all want everything in one place. We don't wanna, we don't wanna have to be going all over the place and to look for >>Both. Because if it's and everything else places, it means that different teams are responsible for it. Yeah. So it becomes this kind of internal information silo as well. So you not even, >>And the risks and liabilities there, depending on who's overseeing everything. That's awesome. Right? So we have a new challenge on the cube specific to this show thing of this as your 30 minute or 30 minute that would be bold. 32nd sizzle reel, Instagram highlight. What is your hot take? Most important thing, biggest theme of the show this year. >>This year. Okay, so here's my thing. Like I want cloud to become something I want it to be. And every time I come here and I'm like, are we closer? Are we closer? So here's what I want. I want all cloud providers collectively to kind of merge. So then when we use them, it feels like we are programming one giant machine. Kind of like in the matrix, right? The movie. So like I want cloud to feel like a computer, like to have this almost intimate experience you have with your laptop. Like you can like, like do this and the laptop like performs the instructions. So, and it feels to me that we are getting closer. So like walking around here and seeing how everything works now, like on the single signon on from a security perspective, there is so that consolidation is finally happening. So it's >>The software mainframe we used to call it back in 2010. >>Yeah, yeah. Just kind of planetary scale thing. Yes. It's not the Zuckerberg that who's building metaverse, it's people here at reinvent. >>Unlimited resource for developers. Just call in. Yeah, yeah. Give me some resource, spin me up some, some compute. >>I would like alter that slightly. I would just basically go and do this and you shouldn't even worry about how it gets done. Just put instructions into this planetary mainframe and mainframe will go and figure this out. Okay. >>We gotta take blue or blue or red pill. I >>Know. I was just gonna say y'all, we are this, this, this, this segment is lit. >>We got made tricks. We got brilliant. We didn't get super cloud in here but we, we can weave that in. We got >>List. We just said it. So >>We got lisp. Oh great con, great conversation. Cloud native. >>Outstanding conversation. And thank you so much for being here. We love having teleport on the show. Obviously we hope to see you back again soon and and Drew as well. And thank all of you for tuning in this afternoon. Live from Las Vegas, Nevada, where we are hanging out at AWS Reinvent with John Furrier. I'm Savannah Peterson. This is the Cube. We are the source for high tech coverage.

(upbeat music) >> From our studios in the heart of Silicone Valley, Palo Alto, California, Nick is a Cube conversation. >> Hello, and welcome to the Palo Alto Cube Studios, I'm John Furrier, host of the Cube. We're here for great Cube conversation with Gilad Bracha who's a distinguished engineer at Shape Security, has a legacy in the programming world, one of the early folks working on Java, a variety of other great things: Small Talk, Newspeak, a variety of programming accomplishments. A legend in the industry, thanks for coming on. >> Well, thanks for having me, it's a pleasure to be here. >> You know, one of the things we always talk about on the Cube is how I work for a company, they do this, they do this great, here's our differentiator, here's our advantage, a lot of marketing speak, and then we also do a lot of interviews around disruption, around cloud computing, getting to DevOps, network effect, changes of network, moving packets around store and compute, all the benefits of cloud computing but we don't really talk about the underlying languages that are driving all the changes and this is something that you're an expert in and I want to get your thoughts on this because, you know, computer science is at an all time high. You can't go to Berkeley, you see what's going on at Berkeley, the number one major is computer science, the data classes, dreams of starting a company, but computer science is changing a lot. More people are coding but does that mean there still more computer science going on? So, a lot of people are trying to understand where the future is going to be and underneath it all is the programming languages themselves. >> Yeah, well-- >> Your thoughts on computer science and the languages out there. >> So, too much to say. But computer science is a lot, there are trends and there's a lot of emphasis now on machine learning and things like that. And it's interesting because that affects, which language you use can make these tasks a lot easier or a lot harder. And we've, you see certain languages being picked up for that purpose and new languages being done for numerical stuff like Julia, people are using R, God forbid and it's really interesting to see that. To me, it's interesting because there's a whole set of languages, the APL family of languages which really go back to the early 60s. But they're just phenomenally designed for these kind of large arrays of data for doing mathematical operations in parallel on large arrays or multi-dimensional arrays, essentially, tensors, back before that word was used in programming. And there's huge potential for doing better in terms of programming with those things. So that is one new, not new but area that's been kind of coming alive again. >> Yeah. >> That's really cool. >> You know, it's interesting, too, you bring up a point. We were talking before we came on camera about Lisp and all these other cool science out there. With, now, the advent of unlimited compute with cloud and, now, kind of new connected devices, a lot of the old science is coming back into vogue because of some of the use cases. I mean, I remember when I graduated college in the 80s, we had departments that were actually called data processing departments. And they used data processing, that's what they did, they processed data. That's the number one use case today is processing data. So, a lot of the old is coming back because it's relevant in this new era. So, I got to ask you, what is your favorite science and computer science that you think is relevant? You mentioned APL, what concepts, we TensorFlow with Google, things like that coming back, you see machine learning and AI, these are not new concepts. >> Well, some of them, I mean-- >> What's your thoughts? >> Machine learning, definitely, there have been breakthroughs in the past, I don't know, 10, 15 years and but the basis of it, the beauty of this is the basis of this is the real hardcore math in calculus and statistics, that stuff is golden and wherever it applies throughout the universe and you look at reasoning about these things and it comes up again. That's the root of it all. Making it so that you can manipulate things closer to level you can with math is really challenge for programming languages, so that you don't spend your life dealing with, sort of, irrelevant, boring details, oh, this has to be lowercase, that has to be tab, this tool doesn't work on that operating system. Most of our effort as software engineers goes, we're dealing with junk, really, and we should try and abstract over that and get over that. >> What are some of the exciting things that get you excited for programming language because there's a lot more excitement, a lot more opportunities now; you're seeing you can stand up software very quickly these days, and so there's some really quick and dirty ways to get software written with languages. Some want more principle-based design languages that have all the integrated components. What's the trade-off, what are some of the things you like around the new trends? >> So I'll give you something that meets both of the criteria that is both very principled but actually makes it much easier to put something together. One of my favorite new things that have come in the past few years is a thing called Elm which is a language, essentially, the main application, so far, has been to build websites, essentially, UI that's targeting a website but it is a functional programming language but it is much more approachable than the traditional academic stuff, even though the ideas are basically the same, but they're very well engineered. Actually, better engineered in many respects than a lot of the traditional stuff that you see like the Haskells and OCamls and stuff. And it started for the web, so it's a different game but it's a joy to use, it has great error messages, it has a time traveling debugger which is one of my favorite hobby horses, so you can actually go back and roll the computation back to where a problem occurred. And that, kind of, is interesting because it meets both of those points. >> Talk about this live programming, you mentioned rolling back and this is around live programming. >> Yeah. >> This is an exciting area. >> Oh, yeah. >> Your thoughts on live programming because we're seeing collaboration where I can have a screen open. I saw a demo at Amazon Reinvent last year or year before where people can be in different parts of the world or different offices in the same building and coding the same, I get the collaboration piece but there's also live programming languages that have built-in compile that's changing the old ways of debugging. Your thoughts. >> Right, so, definitely, that is something that people who have a heritage in small talk or Lisp, kind of, remember those systems or, if they're very lucky, still get to use them. And the thing is that most program languages don't have that level of interactivity when you work with them as a developer because there is too much of a feedback loop between when you actually specify what you want to happen by writing code and when you actually see what actually happen when you run your code and it typically doesn't do remotely what you wanted it to. That feedback loop is too long 'cause you have to go through compiles and bills and whatever, and the idea of live programming is to shorten that so that you, ideally, instantly see you change something and you can see the output and the output gets changed accordingly and you don't have to wait and, in particular, you don't have to go and rerun your program, get to the same point where you were, especially when you're debugging, right? That's the beauty of fix and continue debugging which is sort of a small but important piece of live programming where you can basically go and change a function and, immediately, proceed with the computation. You don't have to restart, you don't have to get to where you were, recreate the state, make sure the heap is in the same thing and that just, A, it's productive, it saves time. It's just a joy to watch and play with this thing, it's much more tactile, you actually feel-- >> It's faster, too, you don't have to, all the steps involved, classic debugging, restart, do it all over again. >> It's faster and it's less error prone 'cause those steps, you make mistakes, you went through all these steps and you forgot one thing or whatever or you did something wrong and didn't notice and you chased some, you know, went on a wild goose chase trying to figure out a bug, so it really is a huge H to product, a huge help to productivity and it's just so much fun to work with these systems. >> Well, I got to get this question for you while you're here because I get this question all the time and it's common. A lot of the young kids want to program, they see the future, they know that coding is a good skill to have. What's your advice to parents out there or kids, whether they're in elementary, or high school, or college, that might have a focus on, say, you know, I'm a neuroscience major or I'm doing this but I want to learn how to code? What's your advice for how to learn how to code because I've seen, oh, learn Java, I'm like, okay-- >> God, no. >> Not really my first choice. >> Eat spinach. Do 50 push-ups. No, it's not that comfortable. >> No, no. >> Java's not my first choice for recomm-- >> It's also 50 push-ups and spinach are better for you. Java is actually possibly damaging, at an early age, you should not be doing that. >> Doing Java, in particular? >> No, no. >> Why is that, it's just too complex? >> Because it's a lot of irrelevant boiler plate. It's a lot of stuff that should've been obsolete before and will be obsolete by the time you, hopefully, get to work for real and it's painful and if you aren't really into it, it'll just turn you off of the whole field. >> What's going to get someone excited, is it Elm, is it gaming, is it some sort of-- >> Yeah, so, Elm is good because you can run it, you don't need much setup, you can run in a web browser. I'm a Smalltalker and I still love the Smalltalk systems and they're still, overall, is a complete programming experience, they're still unmatched. Except for list machines which are kind of hard to come by. And so, I'd focus on those-- >> People tend to talk about Python, they talk about some of these languages. If someone's going to tinker around, what's going to be the addictive, if someone's going to-- >> So, people get addicted to all kinds of things but I would-- >> In terms of a good-- >> I tend to avoid the mainstream. People tend to latch on to the mainstream because they think it's a good career move or whatever. My advice is, you get good, learn the fundamentals in the cleanest way possible, then the mainstream stuff will be easy, rather than focusing on it, 'cause there's so much irrelevant detail in those systems and the programming experience is not that great. So, try something a little less meaty, closure is a lisp that you can use and there's closure script as a version that runs on the web. Try Elm. Try Smalltalk. >> And all these languages, they can actually produce something of value? >> Yeah, they can definitely, I think, still 70% of the world's container traffic is still run by a Smalltalk application. >> Really, I did not know that. >> Yeah, well, few people do. In Smalltalk, you find that that sort of heyday, in some sense, for commercial applications was in the 90s or 80s, whatever, but replacing those applications, a typical story is, someone says, ah, we should use Java 'cause everybody's using Java and we can get lots of programmers and they spend a lot of money and the new application doesn't work 'cause they can't actually rebuild the thing they built in Smalltalk at any reasonable cost, at any reasonable reliability. So, there are a lot of those systems out there, Morgan Stanley's still running Capital, their Smalltalk system for managing money. So, yeah, you can certainly build things. >> Well, Gilad, I love your commentary here, so I love that you're not shy to hold back. I've got to get your thoughts on cryptocurrency and the Blockchain world. >> Oh, dear. >> A lot of different languages, you got Ethereum, you have, some say, oh, I'm going to use Linux. If you're using Java, we're going to import it in, Javascript supports it, so there's been kind of like this, every kind of crypto currency, Blockchain, has their own language for decentralized applications. Your general thoughts on this. >> So, there's a need for, to slow down and be more careful, all right. Ethereum lost God knows how much money. I've heard quotes but I don't know if it's 50 million or 150 million but a fair amount of money due to problems that were classical distributed programming problems and could have been avoided by, essentially, more careful design of language in the system. There's a pressure now to turn things out in a hurry, right? In the old days, these systems took years and years of research in their little corner and, now, everybody has to do something too fast and that hurts. And, often, it's people who don't have the expertise and the background 'cause there's lots of research on all kinds of problems and smart people get snippets of those and they don't quite know what they're doing. And I don't think there's a cure for that because the incentives are there but that's why we're seeing these problems. >> So be careful, the message is be careful. >> Be careful. >> But they're rushing, all this cash is rolling in, they got to have some language. >> Sure, as long it's not their 150 million dollars that they lost, that's fine, but someone was probably upset. >> And, by the way, the security problem was software-error based. >> Most of them are. >> So, this transitions into Shape Security where you're not working as a distinguished engineer, working on some hard problems. I know it's pretty confidential but you guys do power 200 million iOS apps, this is from the PR statement. >> Probably more by now but yeah. >> Past 24 hours, you blocked more than two billion fraudulent login attempts, two million legitimate attempts. Essentially, defending intrusion detects and seems to be the company's value properties, but I don't want to get too much into the company because you're, obviously, on the engineering side. But security from a programming language side is software and people. >> Mm-hm. >> Right, software gets bugs. >> And people make them worse. >> And people make mistakes. >> People make them worse. >> Yeah. >> This is the central process problem in security. Your thoughts in computer science. >> So, most of the time, I mean, Shape does real security and this is fascinating to me but, most of the time, I've been looking at security at the programming language level because, you know, still, I think 70% of intrusions often, not the intrusions but, basically, these big software fiasco security problems get down to array buffer overflows. Which is ridiculous 'cause this is problem that was solved decades ago. Why are we still dealing with this? That's because, you know, programming language design, the whole approach to security, access control lists, whatever, there was another approach which was capability-based. And these two grew up together in the 60 and the world, as typically, it makes the wrong choices, it takes what seems appealing in the short term and not what is sort of a more thorough thing. So, object capabilities is a really interesting way of looking at this thing. There are people working on putting some of this into Javascript so that you could use it somehow. Great work by Mark Miller and company at Agoric. I'll do a shout-out to them. So, I've usually been on that side of things, but real security, there's a lot more to it, that's just one small layer of things and, above that, there's all the humans and the multiple systems they build. The configurations, they're just mistakes, the things that happen through social engineering about which, basically, I don't know much about but I will say that making things simpler is key because that's why people make mistakes. Things are too complicated. Every piece of the system has some bunch of clever engineers who really think it through and make it really sophisticated but when you compose these, it becomes, no one understands, a thing that no one understands what's going on and we need to simplify. My work is to try to simplify at that programming language level which the typical languages people use are too complex. >> And this is really where the software always has holes in it and you just got to be on top of it and make it tight, as it were. >> Right, basically, you can't understand the consequences when you have too many moving parts, as it were, too many constructs in the programming language. The composition is endless and you can't, it's very hard to foresee how they're going to interact and what someone will come up with, eventually. Oh, you could use this to attack that. Or, this crates this bad scenario that people don't notice. And, really, there's no remedy to that. You can work and you should be careful, you should test things, you should verify, if you can, formally, but if you just try and keep it simple, clean abstractions that are very simple and composed well, you will simply avoid, by definition, most of these problems. >> Final talk track around open source. It's been well-documented that proprietary software that's funded by companies when kind of stopped and innovating, kind of, dies on the vine. Open source is great, got leverage, you get out in the open, yeah, it's great. So, open source has been growing like a weed over the past couple decades and, recently, it's been phenomenal. The open source people say, oh, security is better in open source. At the same time, you bring up the notion of language security and those programming languages. How do you see that rectifying itself? How is the security paradigm with open source going to be stabler? What do companies need to do because open source is being used everywhere. >> Open source is used everywhere for good reason but open source is not, by itself, a magic thing, right. It's still, you get problems, open source is also open to malicious contributors, to problems, and the systems are too big for, even though there are code reviews and everything, so it's a double-edged sword, in some respects and sometimes the quality just suffers. These are social organization and each one is different and they have problems, so I don't know that that is, it's good that you shine light on something, it tends to purify it, and certainly that's a great strength of open source that you cant have things buried in there that you don't know. By the same token, it is not a panacea because the other thing is someone has to fund this somehow. All the open source models have to find somewhere to keep this going. So it's a more complicated thing to pull off. >> Especially with all these appliances now, okay, which version of Linux are you running, do I review the code? How do people ensure the security know that whether it's an appliance, or a device, or phone, or anything and it doesn't have some sort of back door or security vulnerability? >> Well, backdoor, I don't-- >> Backdoor, side door. >> Or just code-- >> This is a conspiracy theory. >> Or poor code. >> Poor code, well, poor code, you know, the open source is full of poor code is the truth. And the other thing is that, one problem with the open source is it also makes it easier for people to attack it because they can see how it's engineered. So, there is a reason that secure systems tend to, actually, maintain a certain level of secrecy. So I wouldn't go overboard on the open source ideology that it's inherently more secure. It has the advantage that you can see what you're getting. It has the disadvantage that everyone, including your adversaries, can see that. >> You don't know that going in, buyer beware kind of philosophy. >> Yes. >> And so, ultimately, you need to trust, like, it always comes down to trust at some level 'cause there's no way you're going to verify the software or the hardware, the bits, the you know. You can have problems in the hardware, this is a big problem nowadays, actually, with certain vendors. I don't want to get into those political footballs but-- >> Yeah, super micro. >> Yeah, and so, you really have to see who, you do have to take a risk in who do you trust. Who has a reputation, who is responsible for things that have worked? And there are no easy answers and it's beyond my pay grade. >> Let me get your thoughts on Capital One because we know that story, as of this week and they're on an Amazon estuary bucket, firewall filtering failed, someone just stumbled into it. I mean, the person that hacked it wasn't like, probably, a famous hacker, she was bragging on Twitter and message groups like, saying, hey, I just got in. So, door's open, keys are running in the car, walked right to the safe, safe was open. >> So, I don't know anything about that incident specifically and, I mean, beyond what you and I have read on the web or somewhere-- >> That's a human error. >> But they're usually there's always, almost always human error involved. It's also why you need, sort of, it's like countermeasures, right, and counter, counter, countermeasures. You simply have to monitor, right? So that when something, when you have an intrusion, you check it, now, that's not easy but there are lots of clever things that people are doing. You can have security as an afterthought. It's really hard. That's generally the problem is that people don't think about it early enough. >> Final question before we break: What's the human problem that you see most with developers? 'Cause if humans make mistakes, which they do, what's the common mistake developers, programmers make when coding that could be avoided with just a little bit sharper focus? >> Well, it's not about focus but I'd say null pointer exceptions are the biggest, like, after array buffers, they're the other, Tony Hoare called it billion dollar mistake in 1980 in his award speech, I think. And we're talking now, it's probably a trillion dollars, right? And this is something that can be mechanically checked by the programming language and it's probably the number bang-for-a-buck feature that you might throw in. >> Just say no to null? >> Yeah. >> That's the philosophy. >> Yeah. >> Gilad, thanks for coming on the Cube, appreciate the conversation. >> Thank you very much. >> I'm John Furrier, here in Palo Alto at the Cube Studios. This has been a Cube Conversation, thanks for watching. (upbeat music)