 From our studios, in the heart of Silicon Valley, Palo Alto, California, this is a CUBE Conversation. Hello, and welcome to Palo Alto CUBE Studios. I'm John Furrier, host of theCUBE. We're here for a great CUBE Conversation with Gilad Braca, who's a distinguished engineer at Shape Security, has a legacy in the programming world, one of the early folks working on Java, a variety of other great things, small talk, new speak, variety of programming, accomplishments, legend in the industry. Thanks for coming on. Well, thanks for having me, it's a pleasure to be here. You know, one of the things we always talk about in the CUBE is how I work for a company, they do this, they do this great, here's our differentiator, here's our advantage, a lot of marketing speak, and we also do a lot of interviews around disruption, around cloud computing, getting to DevOps, network effect, changes of network, moving packets around storing compute, all the benefits of cloud computing, but we don't really talk about the underlying languages that are driving all the changes, and this is something that you're an expert in. I want to get your thoughts on this because, you know, computer science is at all time high, you can't go to Berkeley, you see what's going on at Berkeley, the number one major is computer science, the data classes, dreams of starting a company, but computer science is changing a lot. More people are coding, but does that mean there's still more computer science going on? So a lot of people are trying to understand where the future's going to be, and underneath it all is the programming languages themselves. Yeah, well. Your thoughts on computer science and the languages out there. So too much to say, but computer science is a lot, you know, there are trends, and there's a lot of emphasis now on machine learning and things like that, and it's interesting because, of course, that affects, you know, which language you use can make these tasks a lot easier or a lot harder, and you see certain languages being picked up for that purpose, and a lot of new languages being done, like for numerical stuff like Julia, people are using our God forbid, and it's really interesting to see that. To me it's interesting because there's a whole set of languages, the APL family of languages, which really go back to, you know, the early 60s, but they're just phenomenally designed for these kind of large arrays of data for doing mathematical operations in parallel on large arrays or multi-dimensional arrays, essentially tensors, back before, you know, that word was used in programming, and there's huge potential for doing better in terms of programming with those things. So that is one new, not new, but area that's being kind of coming alive again. It's really cool. You know, it's interesting too, you bring up a point. We were talking before we came on camera about Lisp and all these other cool science out there. With now the advent of unlimited compute with cloud and now kind of new connected devices, a lot of the old science is coming back into vogue because of some of the use cases. I mean, I remember when I graduated college in the 80s, they had departments, they were actually called data processing departments, and they would like to, they use data processing. That's what they did, they processed data. That's the number one use case today is processing data. So a lot of the old is coming back because it's relevant in this new era. So I got to ask you, what is your favorite science and computer science that you think is relevant that you mentioned APL? What concepts? We see TensorFlow with Google, you know, things like that coming back. You see machine learning and AI. These are not new concepts. Well, some of them, I mean, machine learning, definitely they've been breakthroughs in the past, I don't know, 10, 15 years. And but the basis of it, the beauty of this is the basis of this is the old real hardcore math, calculus and statistics. That stuff is golden and wherever, you know, it applies throughout the universe and you look at reasoning about these things and it comes up again, that's the root of it all. Making it so that you can manipulate things closer to the level you can with math is really the challenge for programming languages so that you don't spend your life dealing with sort of irrelevant, boring details. Oh, this has to be in lowercase, that has to be tabbed. This tool doesn't work on that operating system. Most of our effort as software engineers goes, we're dealing with junk really and we should try and abstract over that and get over that. What are some of the exciting things that get you excited for programming languages because there's a lot more excitement, a lot more opportunities now you're seeing. You can stand up software very quickly these days and so there's some really quick and dirty ways to get software written with languages. Some want more principle-based design languages that have all the integrated components. What's the trade-off? What are some of the things that you like around the new trends? So I'll give you something that meets both of the criteria that is both very principled but actually makes it much easier to put something together. One of my favorite new things that have come out in the past few years is a thing called ELM, which is a language, essentially the main application so far has been to build websites, essentially UI for that's targeting a website but it is a functional programming language but it is much more approachable than the traditional academic stuff even though the ideas are basically the same but they're very well engineered, actually better engineered in many respects than a lot of the traditional stuff that you see like the Haskell, Zeno Camels and stuff and it's targeted for the web so it's a different game but it is a joy to use, it has great error messages, it has a time traveling debugger which is one of my favorite hobby horses so you can actually go back and roll by the computation back to where a problem occurred and that kind of is interesting because it meets both of those points. Talk about this live programming you mentioned rolling back and this is around live programming. This is an exciting area. Your thoughts on live programming because we're seeing collaboration where I can have a screen open, I saw a demo at Amazon re-invent last year or the year before where people can be in different parts of the world or different offices in the same building and coding the same, I get the collaboration piece but there's also live programming languages that have built in compilers changing the old ways of debugging. Your thoughts. So definitely that is something that as people who have a heritage in small talk or a lisp kind of remember those systems or if they're very lucky still get to use them and the thing is that most programming languages are don't have that level of interactivity when you work with them as a developer because there's too much of a feedback loop between when you actually specify what you want to happen by writing code and when you actually see what actually happened when you run your code and it typically doesn't do remotely what you wanted it to, that feedback loop is too long because you have to go through compiles and builds and whatever and the idea of live programming is to shorten that so that you ideally instantly see you change something and you can see the output and the output gets changed accordingly and you don't have to wait and in particular you don't have to go and rerun your program and get to the same point where you were especially when you're debugging, right? That's the beauty of fix and continue debugging which is sort of a small but important piece of live programming where you can basically go and change a function and immediately proceed with the computation you don't have to restart you don't have to get to where you were recreate the state make sure the heap isn't the same thing and that just, hey, it's productive it saves time it's just a joy to watch and play with this thing is it's much more tactile you actually feel- It's faster too you don't have to do all the steps involved with classic debugging just restart, do it all over again It's faster and it's less error-prone because those steps you make mistakes so you went through all these steps and you forgot one thing or whatever or you did something wrong and didn't notice and you chased some, you know, went on a wild goose chase trying to figure out a bug and so it really is a huge help to productivity and it's just so much fun to work with these systems Well, I got to get this question for you while you're here because I get this question all the time and it's common a lot of the young kids want to program they think they know, they see the future they know that coding is a good skill to have what's your advice to parents out there or kids, whether they're in elementary or high school or college that might have a focus on say, you know I'm a neuroscience major or I'm doing this but I want to learn how to code what's your advice for how to learn how to code because, you know, I've seen, oh, learn Java I'm like, okay, not really my first choice here eat spinach, you know do 50 push-ups, no, it's not that comfortable Java's not my first choice, for reference but also 50 push-ups and spinach are better for you than Java is actually positively damaging at an early age, you should not be doing that Doing Java in particular No, no, Java Why is that? It's just too complex Because it's a lot of irrelevant boilerplate It's a lot of stuff that should have been obsolete before and will be obsolete by the time you hopefully get to work for real and it's painful and if you aren't really into it it'll just turn you off of the whole field What's going to get someone excited? Is it Elm? Is it, you know, gaming? Is it some sort of? Yeah, so Elm is good because you can run it you don't need much setup you can run it in a web browser I'm a small talker and I still love the small talk systems and they're still overall is a complete programming experience they're still unmatched except for list machines which are kind of hard to come by and so I'd focus on those you could try closure People tend to talk about Python they talk about some of these languages Someone's going to tinker around what's going to be the addictive if someone's... So people get addicted to all kinds of things but I tend to avoid the mainstream People tend to latch onto the mainstream because they think it's a good career move or whatever My advice is get good learn the fundamentals in the cleanest way possible then the mainstream stuff will be easy rather than focusing on that because there's so much irrelevant detail in those systems and the programming experience is not that great So try something a little less I mean a closure is a list that you can use and there's closure script as a version that runs on the web Try Elm Try small talk And all these languages they can actually produce something of value Yeah, they can definitely I think still 70% of the world's container traffic is still run by a small talk application But that's... Really? I did not know that Yeah, well few people do In small talk you find that it's sort of heyday in some sense for commercial applications was in the 90s or 80s or whatever But replacing those applications the typical story is someone says, ah well we should use Java because everybody's using Java and we can get lots of programs and they spend a lot of money and the new application doesn't work because they can't actually rebuild the thing they built in small talk at any reasonable cost at any reasonable reliability So there are a lot of those systems out there more and Stanley is still running the capital their small talk system for managing money So yeah, you can certainly build things I love your commentary here I love that you're not shy to hold back I got to get your thoughts on cryptocurrency in the blockchain world A lot of different languages you got Ethereum you have some saying, oh I'm going to use Linux if you're using Java you're going to import it in JavaScript support So there's been kind of like this every kind of cryptocurrency blockchain has their own language for decentralized applications your general thoughts on this So there's a need to slow down and be more careful All right, Ethereum lost God knows how much money I've heard quotes I don't know if it's 50 million or 150 million but a fair amount of money due to problems that were classical distributed programming problems and could have been avoided by essentially more careful design of language in the system There's a pressure now to turn things out in a hurry The old days these systems took years and years of research and in their little corner and now everybody has to do something too fast and that hurts and often it's people who don't have the expertise and the background and because there's lots of research on all kinds of problems and smart people get snippets of those and they don't quite know what they're doing and I don't think there's a cure for that because the incentives are there but that's why we're seeing these problems So be careful the message is be careful Be careful We're rushing all this cash is rolling in they've got to have some language Sure, as long as they're not there 150 million dollars that they lost that's fine but someone was probably upset And by the way, that security problem was software error based So most of them are It's transitions into shape security where you're now working as a distinguished engineer working on some hard problems I know it's pretty confidential but you guys do power 200 million iOS apps this is from the PR statement Probably more by now, but yeah Past 24 hours you block more than 2 billion fraudulent login attempts 2 million legitimate attempts essentially defending intrusion detection seems to be the company's value properties I don't want to get too much in the company because you're obviously on the engineering side but security from a programming language side is software and people Right, software gets bugs And people make them worse People make them worse This is the thus central process problem in security Your thoughts Yeah, well So most of the time I mean, shape does real security and this is fascinating to me but most of the time I've been looking at security at the programming language level because still I think 70% of the intrusions often not the intrusions but basically these big software fiasco security problems go get down to array buffer overflows which is ridiculous because this is a problem that was solved decades ago Why are we still dealing with this? That's because programming language design the whole approach to security access control list, whatever there was another approach which was capability based and these two grew up together in the 60s and the world as typically it makes the wrong choices it takes what seems appealing in the short term and not what is sort of a more thorough thing so object capabilities is a really interesting way of looking at this thing there are people working on putting some of this into JavaScript so that you could use it somehow great work by Mark Miller and company at Agorek I'll do a shout out to them so I've usually been on that side of things but real security there's a lot more to it that's just one small layer of things and above that there's all the humans and the multiple systems they build the configurations that just mistakes the things that happen through social engineering about which basically I don't know much about but I will say that making things simpler is key because that's why people make mistakes things are too complicated if every piece of the system has some bunch of clever engineers who really think it through and make it really sophisticated but when you compose these it becomes no one understands a thing that no one understands what's going on and we need to simplify and my work is to try to simplify at the programming language level which the typical languages people use are too complex and this is really where the software always has holes in it and you just got to be on top of it and make it tight that's the word basically you can't understand the consequences when you have too many moving parts as it were too many constructs in a programming language the composition is endless and it's very hard to foresee how they're going to interact and what someone will come up with eventually oh you could use this to attack that or this creates this bad scenario that people don't notice and really there's no remedy to that you can work and you should be careful you should test things you should verify if you can formally but if you just try and keep it simple clean abstractions that are very simple and compose well you will simply avoid by definition most of these problems Final talk track around open source it's been well documented that proprietary software that's funded by companies when kind of stopped and innovating kind of dies on the vine open source is great got leverage you get it out in the open it's great so the open source has been growing like a weed over the past couple of decades and recently it's been phenomenal the open source people say oh security is better in open source at the same time this you bring up the notion of language security in the programming languages how do you see that rectifying itself how is the security paradigm with open source going to be stable or what's what are companies need to do because open source is being used everywhere open source is used everywhere for good reason but open source is not by itself a magic thing it's still you get problems you get open source is also open to malicious contributors to problems and the systems are too big for even though there are code reviews and everything so it's a double-edged sword in some respects and sometimes the quality just suffers these are social organizations and each one is different and they have problems so I don't know that that is it's good that you shine light on something it tends to purify it certainly that's a great strength of open source that you can't have things buried in there that you don't know by the same token it is not you know a panacea because often and all the other thing is someone has to fund this somehow all the open source models have to find somewhere to keep this going so it's a more complicated thing to pull off than have someone sell something especially with all these appliances now like which version of Linux are you running I don't need do I review the code how do people ensure the security knowing that whether it's an appliance or a device or a phone or anything and it doesn't have some sort of backdoor or security vulnerability well backdoor I don't get excited about backdoors this is a conspiracy theory or just poor code poor code well poor code the open source is full of poor code is the truth and the other thing is that if one problem with the open source is it also makes it easier for people to attack it because they can see how it's engineered so you know there is a reason that secure systems tend to actually maintain a certain level of secrecy so I wouldn't go overboard on you know the open source ideology that it's inherently more secure it has the advantage that you can see what you're getting it has the disadvantage that everyone including your adversaries can see that so you know that going in buyer beware kind of philosophy yes and so ultimately you need to trust like it always comes down to trust at some level because there's no way you're going to verify the software the hardware the bits you can have problems in the hardware this is a big problem nowadays actually with certain vendors and I don't want to get in those political footballs but yeah super micro yeah and so you really you really have to see who you do have to take a risk and who do you trust who has a reputation who is responsible for things that have worked and there are no easy answers well capital one beyond my pay grade really well let me give you thoughts on capital one because we know that is sorry is hot as of this week and they're on had an Amazon S3 bucket firewall filtering failed someone just stumbled into it I mean the person that hacked it wasn't like a probably a famous hacker she was bragging on Twitter and then message groups like saying hey I just got in so doors open keys are running the car walked right to the safe safe was open so I don't know anything about that incident specifically and all I mean beyond what you and I have read in like on the web or somewhere that's a human error but they're usually usually there's always almost always human error involved it's also why you need sort of it's like countermeasures right and counter counter countermeasures it's like you know that you simply have to monitor right you you have to be so that when something when you have an intrusion you check it now that's not easy but there lots of of clever things that people are doing you know you can have security is afterthought it's really hard you that's generally the problem is that people don't think about it early enough final question for a break what's the human problem that you see most with developers because if humans make mistake which they do what's the common mistake developers programmers make when coding that could be avoided with just a little bit sharper focus uh... well it's not about focus but I'd say null pointer exceptions are the biggest like after array buffers they're the other you know Tony Hork called it a billion-dollar mistake in nineteen eighty and it's during award speech I think and we're talking now it's probably a trillion dollars right and this is something that can be mechanically checked by the programming language and it's probably the the number one you know bang for buck feature that that you might throw in just say no to null yeah that's the possibility you know thanks for coming on theCUBE appreciate the conversation I'm John Furrier here at Palo Alto at theCUBE studios stick in a cube conversation thanks for watching