 Live from the Computer History Museum in Mountain View, California. It's theCUBE, covering DevNet Create 2018. Brought to you by Cisco. Hi, welcome back to theCUBE. My name is Lauren Cooney, and I'm here today with Matt Johnson, who is a technologist at Cisco with Cisco DevNet. Hi Matt. Hey, how's it going? Good to see you again. Pretty good, good to see you again too. So what's going on here? What is, what's going on at the show and what are you working on? Oh, sure. So the show in general is just this ability for us. You know, Cisco DevNet have always had quite a large and well-growing presence at Cisco Live, kind of Cisco's Europe and US yearly conferences, but this is the second year we've done Create and it's really an opportunity to kind of take the real developer angle, the makers, the API integrators, kind of the real kind of developer ecosystem that's growing around Cisco's products and our APIs, and just kind of focus on that audience. So, you know, all the content here is developer for developer, and so it's just really nice to be able to experiment in a bit more of an open format. Yeah, exactly. So it's kind of that DIY environment of developers that are coming in and really doing all this stuff and starting to innovate on their own. Yeah, absolutely. And what I'm really excited about here, we have kind of a two-day hackathon running at the same time as the event. And so instead of that just being a little bit of time spent between sessions, these are teams that have already kind of been working behind the scenes on the run up to the event. So they've already kind of met each other virtually through collaboration. They've already worked out what kind of problem space they want to solve. They've already started working on kind of sample and POC code. So the idea that at the end of a two-day conference we could actually see some working solutions to real problems that our partners and our customer ecosystem are seeing, I think that's quite an exciting idea. Yeah, Mandy Whalen was just on with us and she actually talked a little bit about that. And so these guys will be up for 24 hours hacking on stuff. Hopefully we'll see some great solutions come the end and we'll talk about it here on theCUBE. So tell me about what you're doing today at Cisco Dev. Sure, so from one style of hacking to another, we're actually running this demo called the Black Hat White Hat Challenge. And I went to, I've always been a bit of a kind of hobbyist pentester. I've liked breaking things from a young age. And I got to attend my first DevCon in Las Vegas last year. And coming from an evangelism background, coming from kind of doing workshops and talks and demos, I was absolutely amazed at the interactivity of pretty much everything that goes on at the Black Hat hacking conference, sorry, the DevCon hacking conference, my apologies. They have hands-on IoT villages where you can go and try hacking against all the hardware. There's kind of labs and tutorials for people that are maybe just getting into kind of that side of hacking and penetration testing. So I kind of brought that back and I've always had a passion for security. And IoT nowadays, we're in a situation where a lot of these devices we're starting to bring into our homes and our businesses and things are built to a budget. They're built cheap. They are not security devices. People aren't thinking of security. They're thinking of functionality when they're building those. So someone that makes fridge freezers isn't going to be thinking about the 10-year security roadmap for that fridge freezer. They're going to be thinking about selling the latest smart freezer. Exactly. And so I wanted to kind of bring some of that hands-on DevCon style hacking into a real-world scenario. So at security conferences and at developer conferences, we always talk about things being insecure and we talk about needing to think about security. But what we have is a booth here where we actually take off-the-shelf IoT devices and in a curated path, we are getting attendees with no background in kind of pen testing to use real-world hacking tools and real exploits against those devices to build their access into that network and eventually get to the goal which is getting into a little safe with like a prize inside. And all of that is real off-the-shelf IoT. It's real security. And the aim of that is to kind of... So they're actually cracking the safe. They're cracking the safe. They're cracking into Wi-Fi. They're getting onto the guest Wi-Fi and then finding a vulnerability in the router which gets them onto the wired network. So that'd be like a guest network in a corporate environment or a guest network in a hotel. Getting you onto the hotel's infrastructure network and then to a camera. So this is like straight up hacker one, right? Yeah, exactly, right? Which is perfect. This is great. Yeah, exactly. So that's what we're doing. And the idea is just to kind of stop talking about it and start showing. This is not stuff you need to be super good at. This is stuff you can Google. The tools are out there. The tools are getting more and more easy to use. And also vulnerabilities are becoming more and more common because of the growth of IoT. There were double the number of CVE, like known vulnerabilities in the wild in 2017 than there were in 2016. And that's because of this constant pace of new devices. So we're kind of showing that these are really crackable by anyone with a bit of time and research. And then also showing kind of what can be done about that. And even without kind of the proactive and firewalls and things like that, just getting a developer audience thinking about this stuff, getting them fresh in their mind. These are the kind of places we should be focusing on IoT security because it's these developers that will be writing code in those products today. I think that's great. And I think security is so important today with everything going on. And there's Facebook and testimonies that are happening today and lots of different things. Now, what are you using to actually kind of fill these holes, fill these kind of security vulnerabilities that you're using with these off-the-shelf IoT devices? Sure. So what we're showing is how kind of, if you know you have these devices on your network, obviously layering things like Cisco's next-gen firewalls in line with those devices has signatures that will detect it's not going to patch the device itself because that might be from another vendor or an IoT camera or a light switch or something, but it's going to detect the malicious traffic trying to attack that device and drop it. So you're kind of protecting your perimeter, you're stopping a vulnerable device becoming an actual hack. Alternatively, from a personal perspective, as we start looking at how we consume hardware in our homes and businesses, I actually really like kind of the Maraki model and the Nest Cam model and all the other camera vendors which charge you a subscription. Because if you buy hardware one off, you have no idea whether that price for that hardware, a lotted budget for the development team to keep thinking about security or whether that team doesn't exist anymore and they're off building the next product. Whereas if you're buying something on kind of a subscription basis, even though the hardware's in your home, you know that their profit is based on them keeping your product up to date. So you expect real-time updates, you expect timely security updates. And so I think that kind of a software-as-a-service-style delivery of on-prem hardware is definitely a more secure approach. Yeah, and the Maraki model is definitely moving forward is one of the prevalent models that Cisco has. And it's, you know, that plug-and-play, easy to use, get it up and running, et cetera. Exactly, and then on the back of that, you know that there's people working on those security things, which isn't something you think about when you buy it for its APIs and its plug-and-play and its ease of use, but just knowing that that is there and it's, you know, you're paying for that development is a good thing. Where do you see most of these vulnerabilities? And, you know, I know you have a lot of background in cloud computing and, you know, in these arenas. You know, where do you see most of these vulnerabilities? So, that's a big question. Yeah, I mean a lot of the hackers are going to wherever, you know, is easiest for the amount of time and effort, you know. Certainly when we see kind of malicious actors kind of looking for a large footprint, large building botnets, et cetera. You know, there could be a very, very clever attack that requires a lot of time and effort, or there could be an IoT device that you know there's going to be four million of them sold online. They're going to go for those. And like I said, these devices are low power built to a budget. You can get them into your hands and like a SaaS service online, so people can take them apart. They can have a look at the code inside them. They can have a look at the operating system. So, it's quite easy to find vulnerabilities on these IoT devices. So, that is definitely a growing area. Also, the level for harm on those kind of vulnerabilities if we're talking about internet connected healthcare, internet connected hospital equipment, you know, control valves for factories that may or may not be dealing with certain kind of materials. You know, that is definitely a focus both from a security industry perspective and also kind of where we're seeing hackers targeting. That's great. So, tell me a little bit about what else you're working on right now. I think I always find it interesting to hear from you what you're kind of hacking with. Yeah, sure. So, that's my kind of security hobby come part time role, I guess, within DevNet. I quite like that kind of hands-on security evangelism. A lot of other stuff I'm doing is all around kind of open source and microservices and containers. So, we're doing lots of work internally with Kubernetes right now, proof of concepting some new user space networking code. Oh, great. Which would allow basically the network your traffic takes from your application in the container right out to the network card to be a user space app. So, you know, you're not stuck with the networking that a cloud provider gives you. If you want to test your application fully like pack it to app back to the wire and know that that network is also going to go with you when you deploy anywhere, we're going to be able to do that. That's fabulous. And there's also some real performance benefits to kind of not going in and out of the Linux kernel. So, we can kind of saturate 40 gigabits a second from a container straight down to the wire on kind of commodity compute like UCS or like, you know, any x86 server. So, really excited about that. It's in development at the moment. That's all open source. It will be all open source then. It's all open source already under the FDIO project. FDIO.io. The integration into Kubernetes is ongoing. And obviously we'll be open sourced as it gets developed. But that's super exciting. Also, just that whole mirac-ification, if I can say that this idea of turning on-prem devices into kind of black box, you know, cloud managed, cloud updated, you have an IT team. They're just remote and kind of paid for in a SaaS model rather than having to manage and patch those devices on-prem. Oh, yeah. You know, we currently do that with switches and routers and cameras, as I'm sure you know, the Meraki product portfolio. I don't see why we don't do that with on-prem compute. Why don't we do that with on-prem, you know, Kubernetes clusters? Why should a Kubernetes cluster, just because it's sat in your data center, be any different in terms of usability, billing, management than the one you get from Google Cloud Platform or Azure or AWS? It should have the same user experience. So, across those two areas, yeah, that's where I'm spending most of my time. Great. Well, we're kind of wrapping up here. Tell me, like, what is the most exciting thing for you that's coming down the path in the next six months or so? Can you tell us? I cannot tell you the most exciting thing, I'm afraid. It has to do with everything I'm talking about, kind of the networking, the Azure service. Super excited about user space networking. We have customers that are looking to do kind of real-time video pipelines for broadcast in containers and being able to do that on-prem or in cloud or wherever. And this FTIO VPP technology, I think we'll really unlock that. That's great. So, real use cases and yeah, super excited. Great. Matt, thank you so much for coming on today. It's been a pleasure. Yeah, my pleasure as well. This is Lauren Cooney and we'll be right back from the show here at Cisco DevNet Create.