Hi, folks. I'm sitting here with my friend Dino Dai Zovi, the Chief Technical Officer of Capsule8. >> Hi. How's it going? >> How you doing Dino? >> Good. Great. >> Hey. So you work for a company that focuses on Linux security. >> Yup. >> Seems like that's a big area. The key data center. >> Yup. >> How did you guys get into Linux security? To see the problem or what sort of was the driver. >> We saw the problem and we also saw the shift in technology stack as bigger companies especially companies in Silicon Valley were building their production environments. They went natural with Linux because it allows them to have a deeper level of control where everything becomes software defined. And this became the architecture of their production environments and we saw this actually shifting to everyone else with the Cloud and with containers and going to more traditional, more security oriented enterprises. And we saw that a lot of the tools that they had been used to and at their disposal were just not a good fit for this new technological wave that was being ushered in by their engineers, by the ops people, by the market, and in itself. And so we wanted to create better tools for them. >> That's awesome. Now, here is an example of somebody who comes to cybersecurity with a background in development and in hacking. You have some background there. Tell us a little bit about what kind of got you interested in cybersecurity in the first place. >> Sure. First, I want to tell people what I think hacking means. So, hacking means finding the creative solutions to things. I mean solving puzzles, it doesn't mean trespassing. >> Right. >> So when I say hacking that's what I mean and I've been obsessed with the kind of the chess game and the puzzles of computer security since I was like 14. So, that's been my background and growing up with the Internet. The best thing about it is that all this information is at your fingertips. The security community back then was very open with information. So they published Zenes with How Tos, and How this worked, How these things failed and you can really learn everything you wanted from open mailing lists and just all these resources. And that's really how I got into it and when I got started, there wasn't really a career path but I knew who my heroes were, I knew I was like, Oh I can get paid to legally hack into companies like that's awesome, like that is so cool, like I don't have to worry about stressing out like this is cool. And that's what I don't want to do at that age. >> Can you be a competent hacker without having some understanding of Unix based systems like Linux and Android and so on. You think that that's kind of a prerequisite? >> I think it's a prerequisite because what I always saw hacking as understanding a system better than everyone else. So, if you are looking at technological systems you have to understand it better than the people that built it. And when you can do that then you can work your way around it and navigate it, you can essentially surf. And there's always an element of social engineering as well but that's just understanding people and how to navigate that system. >> If someone came to you and said the following, tell me what you would say in response if they said, Hey Dino. The way I'm going to protect my Linux system is I'm going to scan for all the vulnerabilities on it. What would be your response to that? >> I say that's necessary but not sufficient. It's a good start. >> I think we have an obsession with vulnerabilities in the industry because they're very concrete and we can feel like we're making motion without progress because what's really important is defending against attacks and vulnerability is just the first stage in the attack. First, there's the vulnerability then so one has to figure out how to exploit it, they have to be able to find it a target suspectable to it, choose that target and once they're in they have to go to find the information they want and they have that information has to be value to them. If we think about this entire chain from the side of an attacker whether regardless of what their motivations are, we can design better defenses, we can make our data inaccessible to them or not useful to them, we can make our systems more expensive for them to attack, or we can just become better at identifying their attacks and taking evasive corrective action. When we think about all these things and it just becomes very easy to count vulnerabilities and to assume that we can find and fix them all but I think that is just not a tenable strategy. >> Now, I've heard you say before that improving the development process is really the correct thing. Is that your thought that you need to prevent vulnerabilities in the first place if that's really the way to do it? >> I actually focused these days more on the kind of the deployment environment and I think of it holistically because it's really difficult to write bug free code and if it's almost impossible and attackers can analyze the code off line and find that one weakness possibly using a entire cost or full of fuzzers and they get to spend all that time and the attacker has no right or the defender has no idea when the attack is coming. Bug free code, I think is a poor strategy for that. I like figuring out how to shift things and the defenders of advantage by putting a lot of that information they have to learn online now. So now, whenever the attacker tries to attack the system, they make their activities known and when they're trying to figure out how the system works that is a heads up to the defender. And that actually I think really makes a better defensible systems more of a reality when you have better visibility into what's going on in your environment and what should be happening and what shouldn't be happening. >> You think Linux is a good operating system? >> Absolutely. >> You do? >> Yeah. >> What makes it good? >> What I think its core strength is its malleability because one of the things I like to think about is how do we get better at getting better. And that means decreasing the latency of our iteration cycle and our learning cycle and with Linux because everything is open source you can make the change, you can deploy the change and the community moves a lot faster in the way that people are deploying Linux now in the Cloud means they can update their Kernel almost seamlessly which was previously a very difficult operation. It just happens behind the scenes when there are AMI on their auto scaling job is rebooted. And as we move closer to that approach, we can learn from attacks and have the fix deployed much quicker, we can make our environment a moving target so that attackers can't learn it and so that defenders our attackers have to keep pace with the defenders versus the other way around. >> Interesting. Question we love to ask our guests as part of the series here is there a level of optimism around cybersecurity as it unfolds. Well, what do you think? Are you more worried or more optimistic about the near and long term future of cybersecurity? >> Overall, I'm optimistic. >> Optimist. >> Because what I've seen over my career is yes I've seen a lot of breaches, yes I've seen a lot of systems that are hackable or compromisable but I've seen us get better and I've seen us build popular large scale systems like my favorite is Atlas, my favorite example of this. There is a strong amount of security in the system that we use to think that a few things. One, no secure system will ever be popular among consumers. Prove that false. Once you have physical access to it's system it's always game over. It also proved that false. And so we're making progress. And as we keep making larger pieces of our technological infrastructure defensible enough so that we are safe and I put a big difference between safety and security. Because security means that no attack is possible. Safety is means that for the attacks that you care about they're most likely not going to happen. And that's what we really care about in making more parts of our infrastructure defensible and so that our digital communications are safe so that our personal information online is safe and our businesses are safe. That's what Internet security is really all about. >> Interesting. One last question I want to ask on behalf of the community here. If people watching want to learn more about Linux in general, what kind of advice would you have? Should they be downloading it to a PC? Should they be reading something online? What would your advice be? >> My advice now would be one, download it to your machine but get into the Cloud as soon as you can. There are free tiers on most of the Cloud infrastructure companies and for where people's careers are headed, it's absolutely going be based on the cloud over the next 5 to 10 years. >> In the old days, it would be get a shell account. >> Get a shell account. Now it's get an AWS account, launch Cooper Netties, start playing around with clusters because the computer is now the data center. It's not just a single node and the operating system that matters is the framework that you use to manage that whether it's a large scale on prem cluster at a big company or it's a mix of Cloud infrastructure because in order to do tackle the jobs that we're going to be tackling and in computing over the next 10 years, we're going to need to scale the amount of computers way faster than we can scale the number of people and that counts for security as well. We need to amplify the expertise of the people we have not just keep throwing more people at the problem so that we can scale our expertise to the problem we have and we can scale our human capital to the computational size of the problem to what we tackle. >> That's great advice and good marching orders for our whole community here. Thanks so much for taking some time and sharing with us. >> Thanks for having me. >> You bet. And we'll see you on the next video.
