>> Announcer: Live from New York City It's TheCube. Covering CyberConnect 2017. Brought to you by Centrify and the Institute for Critical Infrastructure Technology. >> It got out of control, they were testing it. Okay, welcome back everyone. We are here live in New York City for CyberConnect 2017. This is Cube's coverage is presented by Centrify. It's an industry event, bringing all the leaders of industry and government together around all the great opportunities to solve the crisis of our generation. That's cyber security. We have Cricket Liu. Chief DNS architect and senior fellow at Infoblox. Cricket, great to see you again. Welcome to theCUBE. >> Thank you, nice to be back John. >> So we're live here and really this is the first inaugural event of CyberConnect. Bringing government and industry together. We saw the retired general on stage talking about some of the history, but also the fluid nature. We saw Jim from Aetna, talking about how unconventional tactics and talking about domains and how he was handling email. That's a DNS problem. >> Yeah, yeah. >> You're the DNS guru. DNS has become a role in this. What's going on here around DNS? Why is it important to CyberConnect? >> Well, I'll be talking tomorrow about the first anniversary, well, a little bit later than the first anniversary of the big DDoS attack on Dyn. The DNS hosting provider up in Manchester, New Hampshire. And trying to determine if we've actually learned anything, have we improved our DNS infrastructure in any way in the ensuing year plus? Are we doing anything from the standards, standpoint on protecting DNS infrastructure. Those sorts of things. >> And certainly one of the highlight examples was mobile users are masked by the DNS on, say, email for example. Jim was pointing that out. I got to ask you, because we heard things like sink-holing addresses, hackers create domain names in the first 48 hours to launch attacks. So there's all kinds of tactical things that are being involved with, lets say, domain names for instance. >> Cricket: Yeah, yeah. >> That's part of the critical infrastructure. So, the question is how, in DDoS attacks, denial-of-service attacks, are coming in in the tens of thousands per day? >> Yeah, well that issue that you talked about, in particular the idea that the bad guys register brand new domain names, domain names that initially have no negative reputation associated with them, my friend Paul Vixie and his new company Farsight Security have been working on that. They have what is called a -- >> John: What's the name of the company again? >> Farsight Security. >> Farsight? >> And they have what's called a Passive DNS Database. Which is a database basically of DNS telemetry that is accumulated from big recursive DNS servers around the internet. So they know when a brand new domain name pops up, somewhere on the internet because someone has to resolve it. And they pump all of these brand new domain names into what's called a response policy zone feed. And you can get for example different thresh holds. I want to see the brand new domain names created over the last 30 minutes or seen over the last 30 minutes. And if you block resolution of those brand new domain names, it turns out you block a tremendous amount of really malicious activity. And then after say, 30 minutes if it's a legitimate domain name it falls off the list and you can resolve it. >> So this says your doing DNS signaling as a service for new name registrations because the demand is for software APIs to say "Hey, I want to create some policy around some techniques to sink-hole domain address hacks. Something like that? >> Yeah, basically this goes hand in hand with this new system response policy zone which allows you to implement DNS policy. Something that we've really never before done with DNS servers, which that's actually not quite true. There have been proprietary solutions for it. But response policy zones are an open solution that give you the ability to say "Hey I do want to allow resolution of this domain name, but not this other domain name". And then you can say "Alright, all these brand new domain names, for the first 30 minutes of their existence I don't want-- >> It's like a background check for domain names. >> Yeah, or like a wait list. Okay, you don't get resolved for the first 30 minutes, that gives the sort of traditional, reputational, analyzers, Spamhaus and Serval and people like that a chance to look you over and say "yeah, it's malicious or it's not malicious". >> So serves to be run my Paul Vixie who is the contributor to the DNS protocol-- >> Right, enormous contributor. >> So we should keep an eye on that. Check it out, Paul Vixie. Alright, so DNS's critical infrastructure that we've been talking about, that you and I, love to riff about DNS and the role What's it enabled? Obviously it's ASCII, but I got to ask you, all these Unicode stuff about the emoji and the open source, really it highlight's the Unicode phenomenon. So this is a hacker potential haven. DNS and Unicode distinction. >> It's really interesting from a DNS standpoint, because we went to a lot of effort within the IETF, the Internet Engineering Task Force, some years ago, back when I was more involved in the IETF, some people spent a tremendous amount of effort coming up with a way to use allow people to use Unicode within domain name. So that you could type something into your browser that was in traditional or simplified Chinese or that was in Arabic or was in Hebrew or any number of other scripts. And you could type that in and it would be translated into something that we call puny code, in the DNS community, which is an ASCII equivalent to that. The issue with that though, becomes that there are, we would say glifs, most people I guess would say characters, but there are characters in Unicode that look just like, say Latin alphabet characters. So there's a lowercase 'a' for example, in cyrillic, it's not a lowercase 'a' in the Latin alphabet, it's a cyrillic 'a', but it looks just like an 'a'. So it's possible for people to register names, domain names, that in there Unicode representation, look like for example, PayPal, which of course has two a's in it, and those two a's could be cyrillic a's. >> Not truly the ASCII representation of PayPal which we resolve through the DNS. >> Exactly, so imagine how subtle an attack that would be if you were able to send out a bunch of email, including the links that said www.-- >> Someone's hacked your PayPal account, click here. >> Yeah, exactly. And if you eyeballed it you'd think Well, sure that's www.PayPal.com, but little do you know it's actually not the -- >> So Jim Ruth talked about applying some unconventional methods, because the bad guys don't subscribe to the conventional methods . They don't buy into it. He said that they change up their standards, is what I wrote down, but that was maybe their sort of security footprint. 1.5 times a day, how does that apply to your DNS world, how do you even do that? >> Well, we're beginning to do more and more with analytics DNS. The passive DNS database that I talked about. More and more big security players, including Infoblox are collecting passive DNS data. And you can run interesting analytics on that passive DNS data. And you can, in some cases, automatically detect suspicious or malicious behavior. For example you can say "Hey, look this named IP address mapping is changing really, really rapidly" and that might be an indication of let's say, fast flux. Or you can say "These domain names have really high entropy. We did an engram analysis of the labels of these". The consequence of that we believe that this resolution of these domain names, is actually being used to tunnel data out of an organization or into an organization. So there's some things you can do with these analytical algorithms in order to suss out suspicious and malicious. >> And you're doing that in as close to real time as possible, presumably right? >> Cricket: That's right. >> And so, now everybody's talking about Edge, Edge computing, Edge analytics. How will the Edge effect your ability to keep up? >> Well, the challenge I think with doing analytics on passive DNS is that you have to be able to collect that data from a lot of places. The more places that you have, the more sensors that you have collecting passive DNS data the better. You need to be able to get it out from the Edge. From those local recursive DNS servers that are actually responding to the query's that come from say your smart phone or your laptop or what have you. If you don't have that kind of data, you've only got, say, big ISPs, then you may not detect the compromise of somebody's corporate network, for example. >> I was looking at some stats when I asked the IOT questions, 'cause you're kind of teasing out kind of the edge of the network and with mobile and wearables as the general was pointing out, is that it's going to create more service area, but I just also saw a story, I don't know if it's from Google or wherever, but 80% plus roughly, websites are going to have SSL HTBS that they're resolving through. And there's reports out here that a lot of the anti virus provisions have been failing because of compromised certificates. And to quote someone from Research Park, and we want to get your reaction to this "Our results show", this is from University of Maryland College Park. "Our results show that compromised certificates pose a bigger threat than we previously believed, and is not restricted to advanced threats and digitally signed malware was common in the wild." Well before Stuxnet. >> Yeah, yeah. >> And so breaches have been caused by compromising certificates of actual authority. So this brings up the whole SSL was supposed to be solving this, that's just one problem. Now you've got the certificates, well before Stuxnet. So Stuxnet really was kind of going on before Stuxnet. Now you've got the edge of the network. Who has the DNS control for these devices? Is it kind of like failing? Is it crumbling? How do we get that trust back? >> That's a good question. One of the issues that we've had is that at various points, CAs, Certificate Authorities, have been conned into issuing certificates for websites that they shouldn't have. For example, "Hey, generate a cert for me". >> John: The Chinese do it all the time. >> Exactly. I run www. Bank of America .com. They give it to the wrong guy. He installs it. We have I think, something like 1,500 top level certification authorities. Something crazy like that. Dan Komenski had a number in one of his blog posts and it was absolutely ridiculous. The number of different CA's that we trust that are built into the most common browsers, like Chrome and Firefox and things like that. We're actually trying to address some of those issues with DNS, so there are two new resource records being introduced to DNS. One is TLSA. >> John: TLSA? >> Yeah, TLSA. And the other one is called CAA I think, which always makes me think of a California Automotive Association. (laughter) But TLSA is basically a way of publishing data in your own zone that says My cert looks like this. You can say "This is my cert." You can just completely go around the CA. And you can say "This is my cert" and then your DNS sec sign your zone and you're done. Or you can do something short of that and you can say "My cert should look like this "and it should have this CA. "This is my CA. "Don't trust any other one" >> So it's metadata about the cert or the cert itself. >> Exactly, so that way if somebody manages to go get a cert for your website, but they get that cert from some untrustworthy CA. I don't know who that would be. >> John: Or a comprimised-- >> Right, or a compromised CA. No body would trust it. No body who actually looks up the TSLA record because they'll go "Oh, Okay. I can see that Infoblox's cert that their CA is Symantech. And this is not a Symantech signed cert. So I'm not going to believe it". And at the same time this CAA record is designed to be consumed by the CA's themselves, and it's a way of saying, say Infoblox can say "We are a customer of Symantech or whoever" And when somebody goes to the cert and says "Hey, I want to generate a certificate for www.Infoblox.com, they'll look it up and say "Oh, they're a Symantech customer, I'm not going to do that for you". >> So it creates trust. So how does this impact the edge of the network, because the question really is, the question that's on everyone's mind is, does the internet of things create more trust or does it create more vulnerabilities? Everyone knows it's a surface area, but still there are technical solutions when you're talking about, how does this play out in your mind? How does Infoblox see it? How do you see it? What's Paul Vixie working on, does that tie into it? Because out in the hinterlands and the edge of the network and the wild, is it like a DNS server on the device. It could be a sensor? How are they resolving things? What is the protocol for these? >> At least this gives you a greater assurance if you're using TLS to encrypt communication between a client and a web server or some other resource out there on the internet. It at least gives you a better assurance that you really aren't being spoofed. That you're going to the right place. That your communications are secure. So that's all really good. IOT, I think of as slightly orthogonal to that. IOT is still a real challenge. I mean there is so many IOT devices out there. I look at IOT though, and I'll talk about this tomorrow, and actually I've got a live event on Thursday, where I'll talk about it some more with my friend Matt Larson. >> John: Is that going to be here in New York? >> Actually we're going to be broadcasting out of Washington, D.C. >> John: Were you streaming that? >> It is streamed. In fact it's only streamed. >> John: Put a plug in for the URL. >> If you go to www.Infoblox.com I think it's one of the first things that will slide into your view. >> So you're putting it onto your company site. Infoblox.com. You and Matt Larson. Okay, cool. Thursday event, check it out. >> It is somewhat embarrassingly called Cricket Liu Live. >> You're a celebrity. >> It's also Matt Larson Live. >> Both of you guys know what you're talking about. It's great. >> So there's a discussion among certain boards of directors that says, "Look, we're losing the battle, "we're losing the war. "We got to shift more on response "and at least cover our butts. "And get some of our response mechanisms in place." What do you advise those boards? What's the right balance between sort of defense perimeter, core infrastructure, and response. >> Well, I would certainly advocate as a DNS guy, that people instrument their DNS infrastructure to the extent that they can to be able to detect evidence of compromise. And that's a relatively straight forward thing to do. And most organizations haven't gone through the trouble to plumb their DNS infrastructure into their, for example, their sim infrastructure, so they can get query log information, they can use RPZs to flag when a client looks up the domain name of a known command and control server, which is a clear indication of compromise. Those sorts of things. I think that's really important. It's a pretty easy win. I do think at this point that we have to resign ourselves to the idea that we have devices on our network that are infected. That game is lost. There's no more crunchy outer shell security. It just doesn't really work. So you have to have defensive depth as they say. >> Now servs has been around for such a long time. It's been one of those threats that just keeps coming. It's like waves and waves. So it looks like there's some things happening, that's cool. So I got to ask you, CyberConnect is the first real inaugural event that brings industry and some obviously government and tech geeks together, but it's not black hat or ETF. It's not those geeky forums. It's really a business community coming together. What's your take of this event? What's your observations? What are you seeing here? >> Well, I'm really excited to actually get the opportunity to talk to people who are chiefly security people. I think that's kind of a novelty for me, because most of the time I think I speak to people who are chiefly networking people and in particular that little niche of networking people who are interested in DNS. Although truth be told, maybe they're not really interested in DNS, maybe they just put up with me. >> Well the community is really strong. The DNS community has always been organically grown and reliable. >> But I love the idea of talking about DNS security to a security audience. And hopefully some of the folks we get to talk to here, will come away from it thinking oh, wow, so I didn't even realize that my DNS infrastructure could actually be a security tool for me. Could actually be helpful in any way in detecting compromise. >> And what about this final question, 'cause I know we got a time check here. But, operational impact of some of these DNS changes that are coming down from Paul Vixie, you and Matt Larson doing some things together, What's the impact of the customer and they say "okay, DNS will play a role in how I role out my architecture. New solutions for cyber, IOT is right around the corner. What's the impact to them in your mind operationally. >> There certainly is some operational impact, for example if you want to subscribe to RPZ feeds, you've got to become a customer of somebody who provides a commercial RPZ feed or somebody who provides a free RPZ feed. You have to plumb that into your DNS infrastructure. You have to make sure that it continues transferring. You have to plumb that into your sim, so when you get a hit against an RPZ, you're notified about it, your security folks. All that stuff is routine day to day stuff. Nothing out of the ordinary. >> No radical plumbing changes. >> Right, but I think one of the big challenges in so many of the organizations that I go to visit, the security organization and the networking organization are in different silos and they don't necessarily communicate a lot. So maybe the more difficult operational challenge is just making sure that you have that communication. And that the security guys know the DNS guys, the networking guys, and vice versa. And they cooperate to work on problems. >> This seems to be the big collaboration thing that's happening here. That it's more of a community model coming together, rather than security. Cricket Liu here, DNS, Chief Architect of DNS and senior fellow of Infoblox. The legend in the DNS community. Paul Vixie amongst the peers. Really that community holding down the fort I'll see a lot of exploits that they have to watch out for. Thanks for your commentary here at the CyberConnect 2017 inaugural event. This is theCUBE. We'll be right back with more after this short break. (techno music)

>> Voiceover: Live from Boston, Massachusetts, it's the Cube, covering OpenStack Summit 2017. Brought to you by the OpenStack Foundation, Red Hat, and additional Ecosystem as support. >> Welcome back, I'm Stu Miniman joined by John Troyer. This is Silken Angle Media's production of the Cube at OpenStack Summit. We're the world wide leader in tech coverage, live tech coverage. Happy to welcome back to the program someone we've had on so many times we can't keep track. He is the creator of the term Pets versus Cattle, he is one of the OG of The Cloud Group, Randy, you know, wrote about everything before most of it was done. So good to see you, thank you for joining us. >> Thanks for having me. >> Alright, so Randy, coming into this show we felt that it was a bit of resetting expectations, people not understanding, you know, where infrastructure's going, a whole hybrid multi-cloud world, so, I mean you've told us all how it's going to go, so where are we today, what have people been getting wrong, what's your take coming into this week and what you've seen? >> Well, I've said it before, which is that the public clouds have done more than just deliver compute storage and networking on demand. What they've really done is they've built these massive development organizations. They're very sophisticated, that are, you know, that really come from that Webscale background and move at a velocity that's really different than anything we've seen before, and I think the hope in the early days of OpenStack was that we would achieve a similar kind of velocity and momentum, but I think the reality is is that it just hasn't really materialized; that while there are a lot of projects and there are a lot of contributors the coordination between them is very poor, and you know it's just not the, like architectural oversight that we really needed isn't there. I, a couple years ago at the Openstack Silicon Valley gave a presentation called The Lie of the Benevolent Dictator, and I chartered a course for how we could actually have more of a technical architecture oversight, and just that really fell on deaf ears. And so we continue to do the same thing and expect different results and I just, that's a little disappointing for me. >> Yeah. So what is your view of hybrid cloud? You know, no disagreement, you look at what the public cloud companies, especially the big three, the development that they can do, Amazon, a thousand new features a year, Google, what they can do with data, Microsoft has a whole lot of applications and communities around them. We're mostly talking about private cloud here, it was a term that you fought against for many years, we've had great debates on it, so how does that hybrid play out? Cause customers, they're keeping on premises. Edge fits into a lot of this too, so it's, there's not one winner, it's not a zero sum game, but how does that hybrid cloud work? >> Yeah so, I didn't fight against private cloud, I qualified it. I said if it's going to be a private cloud it's got to be built and look and smell the way that the public cloud was. Alright? If it's just VM ware with VM's on demand, that's not a private cloud. That was my position. And then in terms of hybrid cloud, you know, I don't think we're there yet. I've presented on this at many different OpenStacks, you can see it in the past, and I sort of laid out what needs to happen and that didn't happen. But I think there's hope, and I think the hope comes in the form of Kubernetes, and to a certain degree, Helm. And the reason that Kubernetes with Helm is very powerful is that Kubernetes gives us a computive traction, so that you don't care if you're on the public cloud, or you know OpenStack or Vmware or whatever, and then what Helm gives us is our charts, so ways to deploy services, not just software, and so what we could think about doing in the future is building hybrid cloud based off of Kubernetes and Helm. >> Yeah, so Randy since last time we talked you've got a new role, you're now with Juniper. Juniper had done a Contrail acquisition. You know, quite a few years back you wrote a good blueprint on one of the Juniper forums about the OpenContrail communities. So tell us a little bit about your role, your goals, in that community. >> So OpenContrail has been a primarily Juniper initiative, and we're going to press the reset button on the OpenContrail community. I'm going to do it tonight and call for people to sort of get involved in doing that reset, and when I say reset I mean, wipe the operating system, reload it from scratch, and do it really as a community, not just as a Juniper run initiative, and so people inside Juniper are very excited about this, and what we're trying to do is that we believe that the path forward for OpenContrail is ubiquitous adoption. So rather then playing for just the pieces that we have, which we've done a great job of, we want to take the world's best SDN controller and we want to make sure everybody uses it, because we think aggregate that's good for not only the entire community but also Juniper. >> So, love the idea of kind of rebooting the community in the open, right, because you have to be transparent about these sort of things. >> Randy: Yeah, that's right. >> What are the community segments that you would like to see join you here in the OpenContrail? What kind of users, what kind of companies would you like to see come in to the tent? >> Well anybody's welcome, but we want to start with all of our key stakeholders that exist today, so first one, and arguably one of the most important is our competitors, right so we're hoping to have Mirantis at the table, maybe Ericcson, Huawei, anybody. Cisco, hey come join the party. Second is that we have done really well in Sass and in gaming, and we'd like to see all of those companies come to the table as well, Workday, Symantech, and so on. The third segment is enterprises, we've done well in financial services, we think that that's a really important segment because they're leading edge of enterprises typically, and the fourth is the carrier's obviously incredibly important for Juniper, folks like AT&T, Direction Telecom, all those companies we'd love to see come to the table. And then that's really the primary focus, and then anybody else who wants to show up, anybody who wants to develop in Contrail in the future we'd love to have there. >> Well with open source communities, right, there's always a balance of the contributors and developers versus operators, and we can use the word contributors in a lot of roles. Some open source communities, much more developer focused, >> Randy: That's right. >> Others more operator focused, where do you see this OpenContrail community starting out? >> So where it's been historically is more of our end users and operators. >> I think that's interesting and an interesting twist because I think sometimes open source communities get stuck with just the people who can contribute code, and I'm from an operator community myself, >> Randy: Right. >> So I think that's really interesting. >> We still want all those people but I think what has happened is that when people have come in and they wanted to be more sort of on the developer side, the community hasn't been friendly to them. >> John: Okay. >> Randy: And so we want, that's a key thing that we want to change. You know when we were talking, to certain carriers they came and they said look, it's great you're going to do this, we want to be a part of it, and one of the things we'd like to contribute is more advanced testing around VMFs. And I just look at that and I'm just like that's what we need, right? Juniper is not, can't carry all the water on having, you know, sophisticated test suites for VMFs and more advanced networking use cases, but the carriers are deep into this and we'd love to have them come and bring that. So not just developers, but also QA, people who want to increase the code quality, the architectural quality, and the aggregate value of OpenContrail. >> Okay, Randy can you help place OpenContrail where it fits in this kind of networking spectrum, especially, there's open source things, we've talked about about VPP a couple times on theCube here. The joke for many years was SDN still does nothing, NFV solutions have grown, have been huge use case, is really where the early money for big deployments have been for OpenStack. Where does OpenContrail fit, where does it kind of compare and contrast against some of the other options out there. >> I'm going to answer that slightly differently. I've been skeptical about SDN overlays for a long time, and now I am helping with one of the world's best SDN overlays, and what's changed for me is that in the last year I've seen key customers of Contrail's, of Juniper's actually do something very interesting, right. You've got an SDN overlay, it's complex, it's hard to void, you got to wonder, why should I do this? Well I thought the same thing about virtualization, right, until I figured out, sort of what was the killer app. And what we've seen is a company, one of our customers, and several others, but one in particular I can talk about publicly, Riot Games, take containers and OpenContrail and marry them so that you have an abstraction around compute, and an abstraction around networking, so that their developers can write to that, and they don't care whether that's running on top of public cloud, private cloud, or in some partner's data center globally. And in fact they're going to talk about that today at OpenContrail days at 3:30, and are going to present a lot more details, and that's amazing to me because by abstracting a way and disintermediating the public clouds, you actually have more power, right. You can build your own framework. And if you're using Kubernetes as a baseline you can do a lot more on top of that computing network abstraction. >> You talked about OpenContrail days, again my first summit, I've actually been impressed by the foundation, acknowledging there's a huge landscape of open source and other technologies around there, OpenStack itself doesn't invent everything. Can you talk a little bit about that kind of attitude of bringing, I mean we talk about Kubernetes and that sort of thing, but all the other CNCF projects, monitoring, even components like SCD, right, we're talking about here at this conference. So, can you talk a little bit about how OpenStack can interact with the rest of the open source and cloud native at-large community? >> That's sort of a tough question John. >> John: Okay. >> I mean the reason I say that is like the origins of OpenStack are very much NIH and there has been a very disturbing tendency to sort of re-invent the wheel. A great example is Keystone, still to this day I don't know why Keystone exists and why we created a whole new authentic standard when there were dozens and dozens of battle-tested, battle-hardened protocols and bits of code that existed prior. It's great that we're getting a little bit better at that but I still sense that the origins of the community and some of the technical leadership have resistance to organizing and working with outside components and playing nice. So, it's better but it's not great, it's not where it should be. Really OpenStack needs to be broken down into a lot of different projects that can compete with each other and all run in parallel without having to be so tightly wound together. It's still disappointing to me that we aren't doing that today. >> Randy, wonder if you could give us a little bit of a personal reflection, you've been involved in cloud many years, we've talked about some of the state of it, where do you think enterprises are when they think about their IT, how IT relates to business, some of the big challenges they're facing, and kind of this rapid pace of change that's happening in our industry right now >> Yeah well the pressures just increase. The need to pick up speed and to move faster and to have a greater velocity, that's not going away, that seems to be like an incredible macro-trend that's just going to keep driving people towards the next event. But what I see is that the tension between the infra-structure IT teams and the line of business hasn't really started to get resolved. You see a lot of enterprises back into using DevOps as a way to try to fix the culture change problems but it's just not happening fast enough. I have a lot of concerns that basically private cloud or private infra-structure for enterprises will just not materialize in the way it needs to for the next generation. And that the line of business will continue to just keep moving to public cloud. All the while all the money that's being reinvested in the public cloud is increasing their capabilities in terms feature sets and security capabilities and so on. I just, I don't see the materialization of private cloud happening very well at this point in time and I don't see any trendlines that tell me it's going to change. >> Yeah, what recommendations do you give today to the OpenStack foundation? I know that you haven't been shy in the past about giving guidance as to the direction, what do you think needs to happen to be able to help customers along that journey that they need? >> I don't give any guidance to the OpenStack Foundation anymore, I'm not on the Board of Directors, and frankly I gave a lot of advice in the past that fell on deaf ears and people were unwilling to make the changes that were necessary I think to create success. And even though I was eventually proven right, there doesn't seem to be an appetite for change. I would say that the hard partition between the Board of Directors and the technical committee that was created at the outset with the founding of the Foundation has let to a big problem which is that there's simply business concerns that are technical concerns and there are technical concerns which are business concerns and the actual structure of the Foundation does not allow that to occur because that hard partition between them. So if people on Board of Directors can't actually tell the TC that they'd like to see certain technical changes because they're business concerns and Technical Committee can't tell the Board of Directors they'd like to see business changes made because they're technical concerns around them. And I think that's, it's fundamentally broken until the bylaws are fixed. >> So Randy beyond what we've talked about already what's exciting you these days, you look at like the serverless trend, is that something that you find intriguing or maybe contrary view on it, what's exciting you these days? >> Serverless is really interesting. In fact I'd like to see serverless at the edge. I think it would be fascinating if Amazon webservices could sell a serverless capability that was actually running in the mobile carriers edge. So like on the mobile towers or in essential offices. But you could do distributive computation for IOT literally at the very edge of the network, that would be incredibly powerful. So I am very interested in serverless in that regard. With Kubernetes, I think that this is the future, I think I've seen most of the other initiatives start to fail at this point. Docker Incorporated just hasn't made the progress they need to, hopefully a change in leadership will fix that. But it does mean that more and more people are gravitating towards Kubernetes and that's a thing because whereas OpenStack is historically got no opinion, Kubernetes is a much more prescriptive model and I think that actually leads to faster innovation, a greater pace of change and combined with Helm charts, I think that we're going to see an ecosystem develop around Kubernetes that actually could be a counterweight to the public clouds and really be sort of cloud agnostic. Private, public, at the edge, who cares? >> Randy Bias, always appreciated your very opinionated viewpoints on everything that are happening here. Pleasure to catch up with you as always. John and I will be back will lots more coverage here from OpenStack Summit in Boston, thanks for watching the Cube.