 from the Hard Rock Hotel in Las Vegas. It's theCUBE, covering Hoshokon 2018. Brought to you by Hoshok. Hello everyone, welcome back to our live coverage here in Las Vegas for Hoshokon. I'm John Furrier, host of theCUBE. It's the first inaugural conference on security in the blockchain. Security is obviously not new to the blockchain, it's the number one concern. Crypto is crypto, decentralized networks is what people want. Security is the only thing that matters if you haven't been hacked, then you should know you're being hacked. This is theCUBE coverage here in Las Vegas for Hoshokon, I'm John Furrier with. Steven Sprague, the CEO of Rivets, who's a security and an entrepreneur I've known for almost 20 years now. He has been at this through multiple ways of innovation, multiple security paradigm stacks, not new to the problem. Great time for you, welcome to theCUBE. Oh, thank you for having me. So I've known you and I've known your father as well for almost 25 plus years. You have been at this in one form or another with security and the waves are different. I mean, there's different, there's the web waves, there's different architectures. I mean, people call it internet 3.0, whatever. They're just different evolutionary steps. Now is the killer time because we're seeing the most action. You got web, internet, mobile, global, new economics, new money. The stakes are higher. It's not just like some isolated box. You got cloud. This is the time to harvest the work you've been doing. Give us an help for you. Absolutely. I've been at this my whole career. I started down this path in 1990 doing digital rights management micro transactions and video games and was part of the formation of the trusted computing group in the 2000s and helped ship 1.4 billion PCs with hardware security on the motherboard of the PC that's still out there today. So started Rivets in 2013 to really go after how do we enable the hardware security and mobile devices and just about instantaneously ran into the blockchain. And at my first Bitcoin conference, which was the Miami Bitcoin conference, about a half an hour into it, it dawned on me two things. One, we were talking a lot about crypto but nobody was talking about cybersecurity. And there's a gap between those. Just because we talk crypto all the time doesn't mean that we know what we're doing in cyber. And the other one that was true was, oh my God, I've been looking for this for the last 10 years, which is how do we enable the user to own their own keys? And I don't mean like single keys on each device. I mean the root key that controls all the other keys on all their devices. And so this is a super interesting space. We're just the very beginning of it. In some ways, the Bitcoin side, the sort of value or money side is the demo. The real opportunity is this is the infrastructure that's going to replace how we do normal enterprise compute. We're the end of PC computing. We're about to have a new paradigm. Blockchain's coming. I agree with you, there's an infrastructure shift over because the efficiencies that are gained and the disruption around what's not efficient, whether it's venture capital or infrastructure, IoT, whatever, the supply chain or the decentralized ways is the way to make it efficient. So it's an opportunity. Every entrepreneur that I know is looking at their chops going, wow, I can come in here and create value. The mainstream adoption is around this complexity, around use to your point. And then the fear of being hacked, the cybersecurity piece, whether it's for money or a hostile actor. But think of it in a different way. Security, nobody cares about security. Nobody buys security, nobody wants security. Security is UI. So if I ask you what your favorite multi-factor authentication experience do you think? Like fingerprints and all this kind of stuff? It's not true. The send button is your favorite one. Dial the number and you push send and it just works. It works everywhere in the world. It works every time. You've taught mom how to use it and the kids how to use it. It's simple. So we would never use like dial the number and we're going to use AI and big data to determine whether your phone is in the right condition to complete the call. And then a message is going to come up and say, would you please breathe deeply and calm down because you're clearly agitated. I can't complete your call for you at this time. Like you'd never use that phone. So why are we going to use that for the rest of our enterprise experience? I just sent you a pin number on your phone that you can't use before you can make the call. Again, I agree. It should be under the wire. It should be transparent. Security should be native, always on. That's right. And that's what you're getting at. Okay, so in your opinion, where are we in the progress? Because again, I think this connects the dots for your career, what you've worked on, the itch you've been scratching in security because you have the perfect storm. You have full mobility penetration. That's right. You have commerce on top of it and you have full global connectedness. Those three things alone make it. And we have decentralization. So the thing that's important in blockchain is it's important to remember while the data on a chain is immutable, we know we can seal inside a little envelope, a message and sign it. And we write it to a chain and it never changes. What we don't know is whether the data written to the chain was intended. So all the information on all the blockchains is fake news. It's important to understand that. If we take a blockchain to court and try and prove something, all we can prove was the data hasn't changed. I've absolutely no idea whether your private key was written on the bathroom wall or stored in Fort Knox. And so if you try and record something on chain, your defense is always ah, somebody stole my private key. Or if I'm trying to defend that you didn't do it on chain, and somebody stole his private key. So actually the data on the chain is fake. It's real. It was signed by a private key, but we have no knowledge to the quality of the private key. And if you told the blockchain community that we got to go to your Windows log files to see whether or not your key was compromised at the time, and that Windows log files are the way we secure all blockchains, we're not going to get there. So the problem is, That's a roadblock for sure, no doubt. Yeah, yeah. So the problem is that blockchains are decentralized, therefore they're censorship proof. All of network security is censorship, therefore blockchain is network security proof. Oops. So everything we've spent in the last trillion dollars in cybersecurity doesn't work on blockchain unless I run private chains. All a private chain is running inside the enterprise security wall using all Juniper firewalls to secure your chain. That's not what we're talking about. We're talking about a decentralized solution. So match the security pro posture for the architecture that you're working on. So we're going to have to do for the first time something that's crazy, we're going to have to do secure e-commerce, which is when we form an instruction because blockchains aren't authentication either, this isn't about logging into a node, getting a webpage and filling out a form. No, this is about sending an instruction. So a blockchain instruction, a nuclear launch code, an e-commerce transaction, an IOT instruction like turn the lights on to 50% are all the same thing. It's an instruction based paradigm. So it's not only about protecting the key, but also the protection of the instruction that tells the system what to do. And so in order to do that, the device that creates the instruction has to be a known device. Today we run our whole world, all our critical infrastructure, everything on unknown compute. When you turn this machine on, you didn't check to see it wasn't run by the North Koreans and you can't tell. Yeah, they could be in there. They probably are. Absolutely, more so than you would want to know. So what, where is the answer on this? So get to the, cut to the chase here. In your opinion, as the people figure out, okay, we have all this great hardware that was built for a certain generation. Now I'm using it as mission critical in my life. It's integrated to my lifestyle, where it's my watch, my computer, my phone, now my in-house Siri, portal, Facebook thing. So we need to get away from Apple's embracing of the CompuServe model, where you have a mobile phone that is a terminal equipment, you log into apps and your identity is based on your login to your phone. We don't actually check to see if the phone is really your phone. And we need to move to the concept of mobile, where it's a device identity network, where services are delivered not based on the username and password, but based on the identity of the device. And really, ultimately, we need to get to what looks like an IoT network, which is a device identity network, with messaging as the primary protocol. So secure message is sent. So fundamentally, we need to demote the importance of user authentication and promote the importance of device identity. So that I have a known device in a known condition with known controls that is producing the instructions that are sent to the chain. Ideally, you'd like in every chain a second hash, and that second hash represents a manifest of controls that were in place. So I checked to see, I was in the building, I checked to see, he's still an employee, I checked to see my device is working properly, I checked to see the trust infrastructure in the hardware of my device is working properly. And that gives me a hash. I can write that to chain with the same immutable transaction. Now I can prove that John's device in this condition with these controls wrote this instructions. So authentication powered the last architecture. Blockchain to your point about being, you don't know what's on the data, needs to have an identity model for the signatures. For the robot. For the robot. For the robot. So people are like, oh my God, but what if I lose my phone? And the most important thing is you notice. If I steal your private keys, you don't notice. I steal your phone. Like I just touch your phone, it makes you feel nervous. Yeah. It's a very, but that's 100,000 years. I know when I leave my phone at home, I turn around, as soon as I'm three feet out of the driveway, I'm like, okay, go back to the phone. And so that's cybersecurity training. It starts when you're 18 months old. When somebody gives you an important object, you're not supposed to forget places. Like heaven forbid, you remove the fuzzy rabbit from the three year old. You can lose an arm, right? So that model buying device. The good news is, the trusted computing standards of the world have given us embedded hardware security in the chip sets as a standard capability in every ARM processor. Now in every Intel processor, we can turn these capabilities that have been deployed in these devices. We can turn them on to provide an effective hardware-based wallet for all of crypto. How does the hardware wallet work in your vision? Because I think most people, generally, and me included, would say, look, I love crypto, but I'm busy, got my four kids, two are in college, two are in high school, I'm running around, you're running around. Bottom line is, I got my key, my cold storage, I got keys everywhere. I forgot where I put my damn keys. Where's my key anyway? I ended up writing on a post-it, who knows. So we believe your keys are your collection of devices. So we've actually just done a recent relationship with Telefonica we showed two weeks ago, a dual root of trust handset. So half of your key is protected by the SIM architecture in your phone. Half of your key is protected by the manufactured ARM processor in your handset. So I have two separate roots of trust. So I'm not trusting the carrier, I'm not trusting the manufacturer. They have to work in cooperation. The owner owns the keys. Then I want to back up those keys. So why not, now that I have multiple roots of trust in my device, they can talk to my other devices. So we think of your household of devices as your key, not your single super phone. So every time I make a new wallet, you're right, you're running around, you didn't think about it, you don't want to write down 12 words, you're out at Starbucks, you shouldn't be writing the 12 words down on the surveillance camera at Starbucks, that would be a bad plan. Instead you want your device to just communicate out to your other devices. So imagine in the future I lose my phone, I can shut it off by calling my carrier, and then I want to make a new phone, maybe I've got to go like push a button in my Tesla, push a button on my smart refrigerator, and my wife has to push a button, or my girlfriend or whatever the complications are like we all have, right? And that's what allows me to recreate not just my blockchain keys, but my Marriott keys, my car keys, my refrigerator keys, my these keys, and we're going to have lots of keys for all this stuff. Hardware is key in your opinion, you've got to have the hardware. Right, the reason why you have hardware is because we can measure that the hardware hasn't changed. So we can have a hardware root of trust, something that we know is anchored in silicon, in iron, and then really in copper, and then from that we can build a stack that says we know this hasn't changed because it's cast in the ground, now we can build up from there each step and know that this measured environment is running appropriately. So people might be concerned, obviously Bloomberg had a story this week about China putting a mod chip on super micro boxes, that's hardware, how do you talk to that? Because I'm now saying, hey, I love the root of trust concept, you guys are awesome, great job, but what about being hacked by someone else? Modifying. Well let's assume hacks continue on in time. I think the ultimate disinfectant in this is identity of the device. So give me a list of where 100% of those computers are, and are they in any critical systems that you have? So you're running DHS, and you've got 1.2 million servers across your network, can you tell me 100% of the machines that have that capability on them now that you know that Model 45 had that? So we have an example for this, VIN numbers in cars have been a great example of how we've improved the quality of cars, not that we aren't stupid humans and we build stuff that breaks or doesn't work and people die, we just want to know that if he dies in his car that I don't want to drive the same car he drove without fixing whatever it is that broke in your car. So you need ID for the car, asset. Yeah, and so tracking that, yep, we have it for lots of things, we don't have it for free seas. If you ask the average organization, please give me a list of the software that runs your corporation, they have no idea. Yeah, yeah, and the same thing with data too, the GDPR thing, all these regulations. Right, because all, so GDPR is a great example of where now I need to prove I had controls in place in order to show that my data is properly made. They didn't even know they had a server out there. Right, well I don't want to audit once a year, I want to check every time I do a transaction was the person an employee, did they have data at rest in their machine, did they, so we can use the concepts of GDPR regulation to press this idea that I have provable controls at a transactional level for every instruction that's done. I want to know that I have known compute. If you had to write policy for the federal government, it's only known computers connected to sensitive networks and data. That doesn't require rocket science to understand, it's like, don't hook anonymous unknown computers you picked up out in the parking lot and tie them to the nuclear launch because that would be a bad plan. Like, let's start with at least machines we know and that are running software we know and that we've tested them so that we know they're running what we expect and they're working correctly, then let's use them for critical systems. So let's talk about the implications I want to just finish up this segment on looking at what you're saying, which is a whole new operating model is coming really fast. The old model as being operated run by huge companies, Apple, Amazon, IT departments all around the world, governments. So there's going to be some resistance there's going to have to be some change and that change is going to be disruptive. How do you see it playing out? You see people waking up going, is it inevitable or you see a trainwreck or collision? No, I think we have to create a transition. I spent a decade trying to create the trainwreck and that didn't work very well. We shipped the technology on every PC. What we've done here is we're making it possible for you measure the integrity of a device in a mobile phone and then you can hold keys in it but I can apply policies or rules to those keys and those policies can talk to all of my old external systems. So I can ask all my network security stack, where is this device? Is this person an employee? Is my organization feeling good today before I let you use the key? You bring programmability and state into the entire operation. So I can drag along the whole network security stack and all their API called controls and their SIEMs and let's hook Watson up and watch the whole network and apply that as a rule to a key. So now I can sit in Starbucks and my device checks to see whether my organization is good and then logs me into Gmail. I didn't have to tell Gmail to ask whether I was an employee. So I can have a mobile phone that says only log on if you're on the nuclear submarine and it'll work and I don't have to tell GitHub that check to see whether he's on a nuclear submarine. They just have to know that this two-factor authentication, this external, what's making that possible is that two-factor authentication and all the services is fundamentally device registration and as we mature that, as the industry matures those standards, it provides the vehicle for all the services to incorporate a device component to the authentication strategy and then we can engage the robot to make that device smarter. Robot being the machine. Our device. Great, great to have you on. Give the quick plug what's going on Rivets. We'll give us the quick. So Rivets is a fun company going after building these tools. We have a great partnership with Telefonica. We're extending it to other carriers as well and our mission here is to bring the next billion people to blockchain by giving them a hardware-based wallet for crypto, for IoT, for cloud in 100% of the mobile devices that are shipped and use the carriers as a mechanism to deliver that to us. You bring value to the carriers. You also help the users make that usability piece secure. If you can pull that off, man, we'll have a parade on Main Street for you. We need that. We desperately need this. We are so ready for our digital life to become simpler and safer for the user. And really, for the services, it allows them to have more valuable data. So it's the combination of those two things. It's a win both for the consumer and for the services. Well, let's hope it can be a seamless transition rather than a train wreck collision. John Furrier, we're here at Talking Security at Hoshokon, the inaugural blockchain security, the first blockchain security conference. I'm here with Steven Sprague, CEO of Rivets, a hot company in the space, with many, many years of experience. Time is ripe right now. The time's perfect for you. Congratulations. Thanks for coming on. We'll be back with more after this short break.