>> Announcer: Live from the Computer History Museum in Mountain View, California, it's theCUBE, covering DevNet Create 2018. Brought to you by Cisco. (jingle) >> Hi, welcome back to theCUBE. My name is Lauren Cooney, and I'm here today with Matt Johnson who is a technologist at Cisco, with Cisco DevNet. Hi Matt. >> Hi, how's it going? Good to see you again. >> Pretty good. Good to see you again too. So what's going on here? What's going on with the show and what are you working on? >> Oh, sure. So the show in general is just this ability for us, you know, Cisco DevNet have always had quite a large and a growing presence at Cisco Live, kind of Cisco's, Europe and US yearly conferences. But this is the second year we've done Create, and it's really an opportunity to kind of take the real developer angle, the makers, the API integrators, kind of the real, kind of developer ecosystem that's going around Cisco's products and our APIs, and just kind of focus on that audience. So, you know, all the content here is developer for developer. And so it's just really nice to be able to experiment in a bit more of an open format. >> Yeah, exactly. So it's kind of that DIY environment of developers that are coming in and really doing all this stuff and starting to innovate on their own. >> Yeah, absolutely. And what I'm really excited about here we have the, we had kind of a two-day hackathon running at the same time as the event, and so, instead of that just being a little bit of time spent between sessions, these are teams that have already kind of been working behind the scenes on the run-up to the event, so they've already kind of met each other virtually through collaboration, they've already worked out what kind of problem space they want to solve, they've already started working on kind of sample and PLC code, so the idea that at the end of a two-day conference we could actually see some working solutions to real problems that our partners and our customer ecosystem is seeing, I think that's quite-- >> That's great. >> An exciting idea. >> Yeah, Mandy Whalen was just on with us. >> Oh, fantastic. >> And she actually talked a little bit about that, and you know, so these guys will be up for 24 hours hacking on stuff. Hopefully we'll see some great solutions come the end and you know, we'll talk about it here on theCUBE. >> Yeah. >> So tell me about what you're doing today at Cisco DevNet. >> Sure, so from one style of hacking to another, we are actually running this demo called the Black Hat White Hat Challenge. And I went to, I've always been a bit of a kind of hobbyist pentester. >> Lauren: Never, no. >> I liked breaking things from a young age. And I got to attend my first Defcon in Las Vegas last year, and coming from an evangelism background, coming from kind of doing workshops and talks and demos, I was absolutely amazed at the interactivity of pretty much everything that goes on at the black hat hacking conference, sorry the Defcon hacking conference. My apologies. They have, you know, hands-on IoT villages where you can go and try hacking against all the hardware, there is kind of labs and tutorials for people that are maybe just getting into kind of that side of hacking and penetration testing. So I kind of brought that back and I've always had a passion for security, and IoT nowadays, we are in a situation where a lot of these devices we are starting to bring into our homes and our businesses and things, are built to a budget. They are built cheap, they're not security devices. People aren't thinking of security, they're thinking of functionality when they're building those, so someone that makes fridge freezers isn't going to be thinking about the 10 year security roadmap for that fridge freezer. They're going to be thinking about selling the latest smart freezer. >> Lauren: Exactly. >> And so I wanted to kind of bring some of that hands-on Defcon-style hacking into a real-world scenario. So at security conferences and at developer conferences, we always talk about things being insecure, and we talk about needing to think about security. But what we have is a booth here where we actually take off-the-shelf IoT devices, and in a curated path we are getting attendees with no background in kind of pen testing to use real-world hacking tools and real exploits against those devices, to build their access into that network and eventually get to the goal, which is getting into an electrical safe with like a price inside. And all of that is real off-the-shelf IoT. It's real security. And the aim of that is to kind of-- >> So they are actually cracking the safe. >> They are cracking the safe, they are cracking into Wi-Fi. They're getting onto the guest Wi-Fi and then finding a vulnerability in the router which gets them onto the wired network, so that'd be like a guest network in a corporate environment or a guest network in a hotel, getting you onto the hotel's infrastructure network and then to a camera. >> So this is like straight up hacker one. >> Straight up, yeah, exactly, right? Which is perfect. >> Lauren: This is great. >> Yeah, exactly. So that's what we're doing and the idea is to just to kind of stop talking about it and start showing. This is not stuff you need to be super good at. This is stuff you can Google. The tools are out there, the tools are getting more and more easy to use. And also vulnerabilities are becoming more and more common because of the growth of IoT. There were double the number of CVE, like known vulnerabilities in the wild in 2017 than there were in 2016. >> Okay. >> And that's because of this constant pace of new devices. So we're kind of showing that these are really crackable by anyone with a bit of time and research. And then also showing kind of what can be done about that. And, you know, even without kind of the proactive and firewalls and things like that, just getting a developer audience thinking about this stuff, getting them, you know, fresh in their mind, you know, these are the kind of places we should be focusing on IoT security because it's these developers that will be writing code and those products today-- >> I think that's great. And I think security is so important today with everything going on, and then there's Facebook and testimonies that are happening today, and you know, lots of different things. Now, what are you using to actually kind of fill these holes, fill these kind of security vulnerabilities that you're using with these off-the-shelf IoT devices? >> Sure, so what we are showing is how kind of, if you know if you have these devices on your network, obviously layering things like Cisco's net-gen firewalls in line with those devices, has signatures that will detect. It's not going to patch the device itself, 'cause that might be from another vendor or an IoT camera or a light switch or something, but it's going to detect the malicious traffic trying to attack that device and drop it. So you're kind of protecting your perimeter, you're stopping a vulnerable device becoming an actual hack. Alternatively from a personal perspective, as we start looking at how we consume hardware in our homes and businesses, I actually really like kind of the Meraki model and the Nest Cam model, and you know, all the other camera vendors which charge you with subscription, 'cause if you buy hardware one-off, you have no idea whether that price for that hardware allotted budget for the development team to keep thinking about security or whether that team doesn't exist anymore and they're off building their next product. >> Lauren: Yup. >> Whereas if you're buying something on kind of a subscription basis, even though the hardware is in your home, you know that their profit is based on them keeping your product up-to-date. >> Lauren: Definitely. >> So you expect, you know, real-time updates, you expect timely security updates. And so I think that kind of a software as a service style delivery of on-prem hardware is definitely a more secure approach. >> Yeah, and the Meraki model is definitely moving forward as one of the prevalent models that we, you know, Cisco has. >> Exactly. Yeah. >> And it's, you know, that plug and play, easy-to-use, get it up and running, et cetera. >> Exactly, and then on the back of that you know that there's people working on those security things, which isn't something that you think about when you buy it for its APIs and its plug-and-play in its ease-of-use, but just knowing that that is there and, you know, you're paying for that development, is a good thing. >> Where do you see most of these vulnerabilities, and I know you have a lot of background in cloud computing and you know, in these arenas, but where do you see most of these vulnerabilities? >> Matt: So-- >> It's a big question. >> Yeah. I mean a lot of the, hackers are going to wherever, you know, is easiest for the amount of time and effort. Certainly when we see kind of malicious actors kind of looking for a large footprints, large, building botnets et cetera. There could be a very, very clever attack that requires a lot of time and effort, or there could be an IoT device that you know there's going to be 4 million of them sold online, they're going to go for those. And like I said, these devices are low-power, built to a budget. You can get them into your hands and like SaaS service online. So people can take them apart, they can have a look at the code inside of them. They can have a look at the operating system. So it's quite easy to find vulnerabilities on these IOT devices. >> Lauren: Oh yeah. >> So that is definitely a growing area. Also the level for harm on those kind of vulnerabilities, if we are talking about Internet-connected healthcare, Internet-connected hospital equipment, you know, control valves for factories that may or may not be dealing with certain kind of materials. That is definitely a focus both from a security industry perspective, and also kind of where we are seeing hackers targeting. >> That's great. So tell me a little bit about what else you're working on right now. I think, I always find it interesting to hear from you what you're kind of hacking with and-- >> Yeah, sure. So that's my, that's my kind of security hobby-cum-part time role I guess within DevNet. >> Lauren: Love it. >> I quite like that kind of hands-on security evangelism. A lot of other stuff I'm doing is all around kind of open source and micro services and containers. So we're doing lots of work internally with Kubernetes Right now. Proof of concepting, some new user space networking code. >> Lauren: Oh great. >> Which would allow basically the network your traffic takes from your application in the container, write out to the network card, to be a user space app. So, you know, you're not stuck with the networking that a cloud provider gives you. If you want to test your application fully like packet to app back to the wire, and know that that network is also going to go with you when you deploy anywhere, we're going to be able to do that. >> That's fabulous. >> And there's also some real performance benefits to kind of not going in and out of the Linux kernel, so we can kind of saturate 40 gigabits a second from a container, straight down to the wire on kind of commodity compute like UCS what like any x86 service. So really excited about that. It's in development at the moment. That's all open source. >> Lauren: It will be all open source. >> It's all open source already under the FD.io project, FD dot io. >> Oh. >> The integration into Kubernetes is ongoing. And obviously will be open sourced as it gets developed. But that's super exciting. Also just the whole Merakifi, Merakification if I can say that. This idea of turning on-prem devices into kind of black box, you know, cloud managed, cloud updated. You have an IT team. They're just remote and kind of paid for in a SaaS model rather than having to manage and patch those devices on-prem. >> Lauren: Oh yeah. >> You know, we currently do that with switches and routers and cameras as I'm sure you know that the Meraki product portfolio, I don't see why we don't do that with on-prem compute. Why don't we do that with on-prem, you know, Kubernetes clusters. Why should a Kubernetes cluster, just because it sat in your data center, be any different in terms of usability, billing, management, than the one you get from Google Cloud platform or Azure or AWS? It should have the same user experience. So across those two areas, yeah, that's where I'm spending most of my time at the moment. >> Great, well, we're kind of wrapping up here. Tell me, what is the most exciting thing for you that's coming down the path in the next six months or so? >> Um. >> Can you tell us? >> I cannot tell you the most exciting thing, I'm afraid. It has to do with everything I'm talking about, kind of the networking, the as a service, super excited about user space networking. We have customers that looking to do kind of real-time video pipelines for a broadcast in containers. And being able to do that on-prem or in cloud or wherever, and this FD.io VPP technology, I think will really unlock that. >> Lauren: That's great. >> So real use cases, and yeah, super excited. >> Great. Matt, thank you so much for coming on today. >> It's been pleasure. >> Yeah, my pleasure as well. This is Lauren Clooney and we'll be right back from the show here at Cisco DevNet Create. (jingle)