Joyent’s Bryan Cantrill on technology, fear, and the rise of Trump

Joyent CTO Bryan Cantrill has been a welcome presence at Structure events in the past due to his high-energy takes on the state of our technology world. But after the United States elected Donald Trump as president last night, he hastily rewrote his talk to address the impact that cloud computing — and technology in general — is having on the economic challenges that so many people in this country face.

There’s no real way to sum up a Bryan Cantrill keynote: you simply have to watch it in the video embed below (apologies for the low bit-rate version, we wanted to get it up quickly). You can follow along with his slides here. It’s a powerful indictment of the priorities that govern product development in the tech industry, and we’re proud that we were able to showcase it Wednesday at Structure 2016.

Bryan Cantrill Structure 2016 from Structure on Vimeo.

Level3 and Akamai previewed the Mirai botnet IoT attack at Structure Security 2016

A few seconds before Dale Drew of Level3 and Andy Ellis of Akamai took the stage at Structure Security 2016 about a month ago, I whispered my last-minute suggestion for their discussion: “Krebs!” I was referring, of course, to what was considered (at the time) a massive botnet of hijacked Internet of Things devices that took down a site belonging to security journalist Brian Krebs.

What followed during their session was an eerie preview of the Mirai botnet attack on Dyn last Friday that brought the internet to a crawl. That attack, which Dyn said used “10s of millions” of IP cameras and other devices that were easily exploited and harnessed, brought hundreds of sites that used Dyn’s DNS services to their knees

“When we look at the history of DDoS attacks, we see these harbinger things come up,” Ellis said, referring to a few much smaller but interesting botnet attacks in recent years. Turns out, he was quite right, but the Krebs attack was a preview of the damage that could be caused by such an attack, not the main event.

“I don’t think we’re going to stop the expansion of the internet of things,” Davis said. The problem, as we learned over the weekend, is that some fledgling IoT companies “deploy (a product) before securing it.”

“What’s happened over the last few years, because the largest DDoS attacks weren’t growing, everybody assumed that the age of big DDoS was over,” Ellis said. Clearly, that’s not the case.

Check out the rest of our Structure Security 2016 coverage here, and a video embed of the session follows below.

Keeping The Pipelines Secure from Structure on Vimeo.

Five things we learned planning Structure Security 2016

A very interesting year unfolded as we planned our first security conference.

It’s a year that witnessed a showdown over the right to encryption between the FBI and Apple, two of the most important organizations in their respective fields. It’s a year in which, at this point, it’s fairly well understood that Russian hacking groups — working with or without the knowledge of the Russian government — have attempted to interfere with a presidential election. And it was a year in which even the NSA itself was hacked, making it clear that a determined adversary will find its way into targets that take security as seriously as oxygen.

Next week Structure Security will bring together the people who are setting the tone for the future of information security, and you shouldn’t miss it. Security industry legend Art Coviello will kick off the conference next Tuesday, Sept. 27th, with a presentation on the state of modern information security. Alex Polvi, CEO of CoreOS, will close the conference on Sept 28th by emphasizing how one of the hottest developments in cloud computing can make us more secure. And we’ll showcase dozens of security leaders in between, from RSA Chief Strategy Officer Niloofar Howe to FBI CISO Arlette Hart to Okta CEO Todd McKinnon.

We’ve learned five things about the modern information security world over the last six months of planning, ranked in no particular order.

  • There is a massive shortfall of qualified information security professionals expected over the next five years.

    If you’re oriented toward a technical career, and have a good head on your shoulders, you might want to consider working in security. Rich companies are throwing money at the best of the best information security engineers, the same way Ruby on Rails experts made bank in the Web 2.0 era and Java engineers outperformed their peers in the first dot-com boom. But this is a little different: security thinking requires a unique set of skills and a different way of approaching software development, and companies desperately trying to improve their information security practices are finding it very hard to hire qualified people on in both leadership and day-to-day roles.

  • The frantic pace of modern tech development often forces security to be an afterthought or a bolted-on-later solution.

    Product development engineers have ruled Silicon Valley for a long time now, and inside many companies, those engineers are evaluated on how quickly they can ship projects to market. There are a lot of very good reasons why speed is so valuable, but the need for speed can create vulnerabilities; not just in your code, but in how you respond to security issues. Solving this tension between your engineering department and your security department will not be easy, but it will be harder the longer you wait.

  • Your security people don’t have all the answers. They need to share information with others and employ crowd-sourced bug testing.

    Information security is one of those difficult fields in which you’re only really noticed when you screw up, despite how many times you’ve saved your company or client from serious harm. That unfortunate reality creates a bunker mentality in which security professionals in similar industries are very reluctant to share information about attacks and threats with each other, making everyone less secure. Yet at the same time, more and more companies are realizing that they can’t expect their own security teams to catch everything. If Apple, Google, and the Department of Defense are willing to embrace bug bounty programs, then everyone should at least consider the benefits of crowd-sourced bug hunting.

  • Just as open-source software took over the enterprise computing market over the last decade, open-source software is poised to take over the information security market.

    The maturation of open-source enterprise software revolutionized the practice of building and scaling information technology departments; this year, Microsoft employees became the leading contributor to open-source projects on Github, which is a staggering change to anyone who remembers the software giant’s epic battles against the very nature of open-source software. We believe that something similar is going to happen to the information security market as well, and you’ll see a preview of that future at Structure Security.

  • Machine learning and cloud computing are changing how information security tools are designed, developed, and deployed.

    One of the biggest problems in modern information security is that it’s nearly impossible to protect yourself against the sheer number of threats and exploits out in the wild, not even counting the ones we don’t know about yet. But what if we could train powerful systems to understand threat and vulnerability patterns? And is putting our workloads in the cloud making us more secure, or concentrating of some of the world’s most valuable data in three or four places that will be irresistible to the best criminals? We don’t know yet, because these trends are still evolving in the mass market, but we’re going to talk about it.

Security is one of the most fascinating subject areas in technology. It’s full of heroes and charlatans, stone-faced government automatons and delightfully punk-rock hackers, and, for the most part, hard-working people who are trying to protect our most valuable institutions and organizations against a growing tide of determined attackers.

They know that our world will only become more and more digital every year until Earth gets hit by an asteroid or runs out of energy. Willie Sutton, when asked why he became the most notorious bank robber of the 1930s, supposedly said “because that’s where the money is.” In 2016, the money is in our networks, and protecting it against the spiritual heirs of Willie Sutton is one of the most important jobs in technology.

Join us at Structure Security next week to learn more about the future of information security. I’d like to thank all the advisors and friends who helped us plan this important conference, and we promise two days of stimulating discussion at the beautiful Golden Gate Club in San Francisco’s Presidio district.