BSidesAtlanta 2019 - Michael Anton - Blocks and Chains - Blockchain Realities

challenging name was obviously a Ford name we're a swiss company this was a cyber security company who came out of a could be called negra they've been around since the 1950s but we're they're wholly owned subsidiary that does cyber security so we do have a challenging game to pronounce here in the States but it you say it enough time to starts rolling out the time so cool thank you guys very much for coming out I hope you guys are enjoying the content of the conference so far hope lunch was good I'll probably skip the cliche about being at a timeslot immediately after lunch and just hope that no one falls asleep during the presentation but

that's that's just fine before I get going I always like to do a quick poll just so that I can understand who it is that I'm speaking to so just show of hands here how many of you guys would say that you are watching people cryptocurrency people maybe you know a lot about cryptocurrency maybe you're heavily invested is some sort of cryptocurrencies cool or - awesome how many of you guys would say that you're either apprehensive about the technology maybe you don't know enough to know one way or another you're just you're not quite a blockchain person because maybe you haven't learned about it yet so hands haven't been fully exposed to technology okay now the third option how

many of you guys are sick and tired of hearing about blockchain and plan to harass me with challenging questions and insults about my mother afterwards anybody well I saw one hand so I look out for you that's okay well you know what a beautiful audience in thank you guys very much for coming out I am Mike Anton I'm a Senior Product Manager of blockchain at Cadell ski security I will tell you a little bit more about what that entails here in a minute but for those of you who have seen blockchain talks before I think that you guys probably have similar come back from back back behind here I'm sure enough as it is I don't need that

working against me I think if you guys have seen a blockchain talk before then you've probably seen a lot of the the grandiose arm-waving the blockchain is the future of everything and I try to take a slightly different approach not that there's anything wrong with being a futurist any way shape or form but I also believe in pragmatism and so for example I like to start with a riddle what new chick-fil-a a Game of Thrones and Atlanta traffic have in common anybody all three include problems that will not be solved with watching no matter how hard you try to stick Game of Thrones on the blockchain there will be no season 9 no matter how badly you want

to stick every car on the Atlanta freeway at rush hour on the blockchain you're still gonna be sitting there in traffic and no matter how hard you try to block change chick-fil-a they still will not be open on Sundays so I'm sorry for that if you guys are looking for those sort of solutions then I apologize for the letdown but I'll let you know right off the bat that that's not what I'm about I will show you though a quote that is very near and dear to my heart and we'll discuss this a little bit more as we go but certainly something to live by maybe build a career off of who knows so really really absorb this one so I'm

Michael Anton I am a Senior Product Manager of blockchain within our research and development organization at Cadell ski security I started my career in consulting with a small to mid-size consultancy called fertility I got to travel around the country solving a really hard data problems for banks so that was fun and terrifying simultaneously if you guys ever work in financial services I never saw the data that that is there you probably be terrified too I went over to first data I just hadn't got enough of the financial services in life so whatever the first data where I worked in ecommerce fraud prevention so we worked on taking a product to market that would evaluate 100 to 200 different

characteristics of a credit card transaction in real time run it through a machine learning algorithm and then score on a scale of 0 to 1000 how likely we thought it was to be fraud we could return that score to a merchant and they can make the educated decision for themselves whether or not they wanted to accept the transaction right there at the point of sale so pretty cool product for sure but I was extremely excited to make the switch over to Cadell skee security like I said right at the beginning to talk for a small Swiss cyber security company coming from a larger parent company that's been around since the 1950s we do things like route of trust

IOT security where we've got a whole Corps of photographers and brilliant people so a little bit about my job these are our brilliant people and I like to consider myself the professional dumbest guy in the room it's a it's a pretty cool job to be I don't know if you guys have ever work with product managers before but these are geniuses these are our stallions as they would have said in the show Silicon Valley these guys have some amazing ideas a lot of them are technologists scientists cryptographers we've got physicists on staff and so as they have crazy ideas for new technologies what I try to do is like go out and I've fit up these

technologies and I try to build and run a business around the technology so I say that not to make this a product management speech in any way shape or form but I feel like this gives a little bit of background about Who I am and kind of the angle and I'm coming from when I present this talk to you guys so have you guys ever worked with a product manager before yeah handful of you cool some people not so many I know a lot of the folks that I've worked with in my company I'd never really worked with product managers before a lot of people will think it's project manager a lot of people think it's product owner and I

will say that a product manager to span both of those activities as well but I think that this pyramid right here kind of represents my job in a nutshell and this will be the end of my arm waving about product management but what we like to do is separate things between the problem space and the solution space there are problems out there in this world and we want to understand what they are without starting to think through solutions if you guys are engineers if you've ever been through any sort of problem solving class or problem solving process this is probably familiar to you and then we've got our geniuses that solve problems professionally that live in the solution

space they tend not to talk very well together and so what a product manager does is owns this entire pyramid and strives for this golden sliver in the middle that I like to call product market fit and this is how well can we tailor a solution to actually fit the needs of a problem I'm sure you guys have seen some amazing technologies amazing problems out there or products out there before that look really cool look really sleek but what problem do they actually solve right that's probably the work of someone starting in the solution space and not really involving a product manager or not not really working to the point where they understand who the client is and what

they need so that's enough about me I'm certainly happy to talk afterwards I'm a very passionate product manager so if you guys ever have any questions certainly feel free to pull me aside over the next 40 minutes or so I will give you guys a quick blockchain primer for those of you who haven't been terribly exposed to the technology I will talk through blockchain and the enterprise and then I'll kind of give you a couple looks into the not so distant future for the technology so you can kind of understand where it's going the overall point of this presentation though is to convince you of a couple things one blockchain will not solve all of your problems but there are some

things that it knows very well blockchain has the ability to help industries and enterprises disrupt their current processes and move into completely new and uncharted waters I really do believe that especially in instances where you've got multiple parties exchanging value and a low - medium trust setting and then finally whether or not you guys like it whether or not crypto wins or crypto loses or is up or down or where the markets go understand that it is coming it is starting to creep into enterprises now demand is picking up and so you guys as security practitioners need to be prepared to understand the technology and some of the threats and challenges associated with the implementation of it

cool so what is blockchain first let's talk through Bitcoin versus blockchain because that's that's a really good starting place I feel a lot of people tend to say Oh blockchain is that fake Internet money thing right it's that thing that they they invent it and it's faking it of money and drugs and terrorists that's that's typically what I hear from someone who isn't terribly familiar with the terms they tend to to merge the topics in their minds so let's let's get it straight let's try and understand what they are and separate the topics Bitcoin is fake internet money that was invented by Satoshi Nakamoto this mysterious individual or group with a really cool white paper called Bitcoin a

peer-to-peer electronic cash system released in 2008 they still don't know who certain who Satoshi is so there's a lot of mystery around this but basically bitcoin is a network of people and a network of nodes that can exchange value from peer to peer to peer in ace in a low trust environment where they can still have faith in the transactions as they're taking place so you'll see here I don't want to get too too deep into the details of exactly how the blocks are built but it's an awesome combination of understanding tokens and stringing them together with with hashing now blocks contain all the new transaction data and each block contains an encoded hash of the previous block

before it so that's how you end up getting this chain concept of how they're all strung together so what is sorry I'm using a master to try and drive the slides so what is watching strip out the fake internet money blockchain is really just a data store that is built on top of historical data a good description here for it is a ledger that is distributed decentralized and irreversible let's talk through what that means first of all it's a ledger it's a data store you've got data stores and all of your enterprises all of your IT ecosystems today if you don't need a data store you probably don't need a blockchain let's start there it is a data store then that is

distributed so we've got a bunch of different peers running on some sort of peer-to-peer network and this distributed network allows people to exchange money or tokens or anything of digital value in a decentralized manner what that means is that they don't have to rely on trust provided by some sort of third party intermediary who's going to give a transaction credibility so what does that mean if I were to pay you for example say it were to venmo you fifteen dollars because you picked up the tab for pizza the other night or something like that how do you know that my money is actually good how does it actually make it over to you well present-day I have to rely on a third

party intermediary who's going to handle the entire transaction from the time that it leaves my account all the way to the time that it enters your account and that provides a decent amount of trust what this allows is a framework to pull that intermediary yeah so it's a decentralized way of exchanging that value finally because of the way the blocks are built on top of each other because each one contains a hash of the entire previous chain and makes it irreversible so the blockchain or a blockchain is always moving forward there's no way within mathematical reason to go back and change or taint historical data on a blockchain those are kind of the basics it's also

important to realize that there are a numerous variants of different types of block chains out there I want to give you a little bit of a sense about what consensus is so you guys might hear the word consensus this is something that's thrown around quite a bit and it's actually kind of a commercial topic in the blockchain world and also for people who maybe are not as familiar with the blockchain world but certainly want to poopoo it pretty quickly it's this concept of proof of work and proof of stake and some of the other consensus mechanisms so we've got ourselves distributing digital value in a peer-to-peer network everyone's got a copy of the ledger someone goes ahead

and transact who decides who gets to copy or who gets to update the latest copy of the ledger right who retains the master copy of that ledger well this is a really really important problem because those who have that ability to update the copy have the ability to potentially taint the data within it and so we've got this whole emerging field of crypto economics that's come out where people are trying to understand how to incentivize people to take certain very specific honest actions without jacking up transaction cost too much without having to insert a complete intermediary so that's what these consensus mechanisms are we've got proof of work this is the really well-known one this is probably the most

controversial one out there this is the concept of solving a really hard puzzle so how do I know that I get to add a block to the chain well I get to solve the puzzle and I solve the puzzle first this is what Bitcoin uses this is currently what aetherium uses although they're switching over to proof of stakes slowly and potentially in different chunks but this is controversial because of its high energy consumption so I don't know if you guys have heard this before this was from DG columnist Annette actually this week they constantly update this number but every single transaction that happens on the Bitcoin network takes so much electricity to mine that you could power

14.7 US households for a day just to solve the puzzle that you need to to add it to the block that's crazy that is a crazy amount of energy consumption and so while there are some amazing things that you can do when you have consensus in a peer-to-peer mechanism this is obviously still a problem associated with a young immature two Algie that needs to be solved because the future of payments cannot require 15 households worth electricity for every single transaction we've got proof of stakes so instead of my name we're now forging proof of stick basically says that we're going to allocate you your opportunity to add a new block to the chain based off of the percentage of the

monetary base that you hold with the idea of being that if you held so much cryptocurrency in a specific blockchain or whatever it was you would not be incentivized to do anything that could undermine the value of the legitimacy of the currency or its operations for fear of devalue in your own asset so it's kind of an interesting concept it's still definitely unproven in it's it's definitely controversial as well there are many many other consensus mechanisms out there there's proof of proof of Authority proof of importance those kind of look like proof of stake with some extra business logic added in to try and make someone authoritative or important but I'd say that those are kind of the

basics about consensus mechanisms that one should know proof of Authority has come up a couple times and I've seen I never understood it could you mind to just explain a little more yeah so there are a couple different algorithms about proof of authority that are out there either way though it's basically just evaluating someone's characteristics what can make them important so it would be anything associated with the time that they've held their money to the the amount of money that they owned like the worth of states yeah exactly and they're different structures of these peer-to-peer networks that can allocate maybe different different roles and responsibilities so you might have certainly different types of nodes that

might play different pieces and so I I'm far from an expert on the proof of Authority consensus mechanisms but what I can tell you is that there are a variety than out there and they're all kind of derivatives and proof of stick work is more of like you know I got all these people doing work and then when one gets the right answer like you know reward them they were incentivize to do the work because they get a little reward when they do it but proof of staying from Authority the ones like that are more like you know trusting trusting the person is showing characteristics that they're not incentivize yep that's the general yeah exactly and I mean you can

have round robins and all sorts of stuff where maybe where everyone is going to take a turn there's all sorts of different ways to do their consensus mechanisms and so they can be granted their authority that way like I said they're unproven and so they're pretty controversial in the world of crypto economists which I am not one of but I certainly understand when you're implementing something new like this that has the ability to enable someone to potentially undermine the integrity or the lid of a monetary base or legitimacy of their transactions I certainly do understand why for example you would maybe want to roll it out in a smaller you know limited run basis so that's been pretty pretty hot

topic right now especially in the etherion space as they're working on making their shift over from proof of work to proof of stake but it's definitely you know we'll see where this one goes with that though it's important to understand that there are two types of block chains and this is really where the enterprise conversation starts coming in so those of you who are extremely familiar with crypto currencies are familiar with what we call public block chains these are completely permissionless what that means is that anybody who wants to download a node can go and participate in these networks that's awesome it's great for enabling a bunch of different types of use cases business cases crypto

currencies whatever it is that you want to do on that that's fantastic but what we're seeing right now in the enterprise is that enterprises aren't quite as fond of just putting their information out there on a blockchain so we have this concept of a parameter permission blockchain where you can actually decide which participants get to participate in the overall network I will say that a lot of the blockchain pure out there feel like this undermines one of the critical value propositions of blockchain basically saying that well look if you're going to specifically start prescribing who can access this and maybe it's not so low trust that you really need a blockchain but there are other benefits associated with using the

technology other than just being able to decide who has access to it so you'll see a couple different common brands so in the public space there's aetherium and there's Bitcoin in the private space as hyper ledger there's Corte which was started by a consortium called arc 3 which was a bunch of financial services companies banding together and then there's built on top of the theorem there's four three or four different private blockchain instances that you can deploy including quorum which was JP Morgan's that they come out with recently built on top of the theory so understand that there are two very key paradigms here public versus private it's kind of the same difference between internet versus

Internet right so what are some of the celebrated business benefits associated with implementing blockchain well you'll hear about efficiency auditability transparency and security so as far as the efficiency goes if you guys have ever been in an enterprise setting and you've seen all these systems crammed together and you've seen all these manual processes set up just as workarounds to do with the the might of the dysfunction that emerges from cramming all of these systems together it's a key value proposition that blockchain brings to the table we can strip a lot of that stuff out and because we're prevented providing a medium for data to exchange a little bit more freely that we can potentially disintermediate some of those systems

and cut out a lot of those processes so it's going to be greater efficiency there's also a perfect audit ability and traceability or pretty dang close to perfect audit ability and traceability you have the ability to look back at any block and understand exactly what happened at any point in time so there's really no corrupting audit logs there's no losing audit logs because every single block has like I said earlier the entire previous coded within it there's transparency which is pretty cool you know it allows people to understand depending on your role out of how your blockchain is configured it can allow people to see into the operations of whatever process that you're tracking and it allows them

to audit it in a pretty easy manner low touch manner that it can actually be a key selling proposition key value proposition for a lot of businesses they can go to their clients and say look you have concerns about our practices you have our you know concerns maybe about our sustainability well all of our processes all of our supply chain is tracked here on this blockchain and we're giving you guys access to it so you have perfect transparency into how things are running that way when I say as a business that I am a sustainable business maybe I don't have to rely on some sort of trusted third party to to give me the credential maybe my

customers can actually go and see it for themselves so pretty cool now the the dicey issue of security so I'm not going to stand up here in front of you and tell you that blockchain is perfectly secure if you look around the the blockchain industry a lot of people like to give watching the secured by design moniker but you have to really understand what goes into a real deployment of blockchain so watch Shannon is an application with some really really good math we're pretty confident in the really good math right the math is pretty sound although it is not impervious it's definitely still important to validate this really good math but as with any other application

even if that math is super good and super secure there's a whole other area of potential area for attack a whole other attack surface that is vulnerable to anybody who wants to do wrongdoing so it's a full stack out there that you have to work on security and I'll talk a little bit more about that in a few minutes so entering the internet of value so a lot of people are sitting there shaking their heads going oK you've got some sort of cryptographic scheme to store data in a really really complicated way like why is this revolutionary why do I care what does this really represent and so this is where the concept of the internet of

value really emerges so I'll talk through this slide here we like to say that we are in the fourth Industrial Revolution so the first Industrial Revolution was awesome because the imagine is we can all of a sudden move really really heavy things from place a to place B that's fantastic Second Industrial Revolution was the assembly line in the birthplace of standardization and mass production and allowed just unprecedented efficiency that's fantastic the third Industrial Revolution is all about computing and internet we're calling this the Internet of information so it's exchanging Internet information among people on some sort of network and it never before had we seen such freely exchanged ideas and information that that knowledge of

humanity grew exponentially once this came out right is truly spectacular industry for dot o or the Industrial Revolution the fourth Industrial Revolution is all about immediacy privacy and efficiency and so I'll start talking about that in a second but I think to understand it well you have to really understand is what is the internet of value so in the Internet of Things you can potentially duplicate things I'm sure no one in this room was ever involved in such devious activities but maybe there was something going on in the music industry in the last two or three decades with with illegally reproducing and disseminating music right well all of a sudden now what we started to realize is there are these

digital assets that are of value and there's a really big problem in that they're not unique or they they can be easily duplicated and so this is called the digitization gambit and it's kind of the slippery slope that is associated with sticking everything digital when you make every single thing digital how do you know that what you're dealing with is distinct so we've got all of these things that we value here we've got identity we've got art we've got visual art music film we've got your votes you've got your intellectual property contracts anything that you might want to prove is distinct but on the Internet of information you could easily just copy and disseminate at your leisure what

blotching does and why it's so monumental is it solves what cryptographers have been calling for a long time to double spend problem the concept of it is I give you five dollars of my fake Internet money how do you know that I'm not retaining a copy of that fake Internet night that sounds really simplistic but that's actually a really big issue and that's a difficult thing in a cryptographic manner or any other programmatic manner to try and prevent insult and so we've seen already with the whole crypto boom how much value this can create in the cryptocurrency space but think about once once again as we go and start talking about all of these other assets

think about how much other value how many other distinctive digital assets could create value if you could transfer them from peer to peer to peer and understand and trust that things haven't been duplicated maybe your car title maybe the title to your house all of these things are paper processes that you have to sign right now to prove the authenticity and that the uniqueness of but what if there was some sort of digital solution that allowed you to do this without ever having to put pen to paper or do it in mass pretty cool all right so this is really exciting everyone gets super excited right they they start dumping all of their money into blockchain right the crypto

currencies are blowing up watching becomes like the the biggest buzzword aside from IOT and augmented reality and you know machine learning and all of that that's awesome so the enterprise starts getting really really excited fantastic but then this happens we were talking about this before a lot of you guys came into the room but there's a known hype cycle for emerging technologies every new technology goes through this process where people get really really excited about it and they dump their investment into it and there's there's a little bit of a bubble and then okay maybe it isn't the end-all be-all maybe it isn't the Silver Bullet to all of our problems maybe you can't convince chick-fil-a to stay open out of

Sunday this new technology right this was however compounded in this instance with the popping of an asset bubble on top of it so we have the normal pain points that you would feel with the trough that follows the peak and that's typically paying for I typically you see companies and startups running out of business people saying oh that's over the future is over this this was all a fad right whatever this was compounded by the fact that you had all of these assets out there that were just completely being fabricated on a whim you know we've got a CEO is happening left and right a lot of times based not really on any specific value right these are

speculative assets that are just moving up and down and they were moving up as long as everyone was really into the technology but the second people started to become a little bit more bearish they crashed and this just is completely like pilot drove the the rest of the industry and so understand that the recession in interest is a combination of something that is very predictable in the hype cycle compounded by something that is a little bit more unprecedented technology was surrounded by an asset bubble so since and driving this thing from a NASA stuff so since that bust people in industry have been watching blockchain in the development of the technology kind of like this they they see that

there's value in implementing technology and we see this in enterprises right now like oh we've got an idea about this thing that we might be able to do we could probably cut out some intermediaries we might be able to make things more efficient we've had this problem that's kind of been nagging us for a while but dang like that whole cryptocurrency things so they're sitting there and they're watching the industry evolve but they've been kind of sloped to try and adopt it and start to bring this into enterprise and so now a year and a half or so after you know a lot of the air was taken out of the balloon we're starting to see some of the

interest really start to rebound in the enterprise all right so let's talk through enterprise needs blockchain solves every problem no enterprises who wants to implement blockchain have to understand that first right they have to reduce the scope as if they were implementing any other technology to understand exactly what problem it is that we're trying to solve I kind of hit on this earlier in my arm wavy product managers speech with the triangle but you have to understand who your customer is and you have to understand what those customers need before you start coming up with solutions so when you start saying blockchain solves every problem think again reduce the scope slowdown why do people care about Bachchan in the

enterprise well here are five pretty good reasons that we've seen so far we've seen interest popping up various places in the c-suite originally we're seeing it just pop up and R&D shops as some you know some guy in R&D shop and maybe get like a little bit of a budget he had a cool idea it was a pet project we're starting to see that shift though as this becomes a little bit more of a conversation in the c-suite so blockchain removes the need to trust a third party I kind of beat that one to death earlier but blockchain removes the need to wait for a third party so I don't know if you guys have ever

transferred money via ACH before or if you've ever had to go through the credit card processing process where you have authorization and settlement but it's extremely slow and it's extremely slow because it's extremely dysfunctional how many different hands are in that pot you've got so many systems in there that everything is trying to flow through what blockchain presents is a platform for that data to flow a little bit more seamlessly so that you don't end up having to sit around and wait for everybody else to get their job done blockchain removes the need to submit to a third party now what does this mean I don't know if you guys have ever found yourself in industries before that have

been dominated by one really really aggressive third party a lot of times these might be certification companies and so I gave you the example earlier about companies that are producing products let's say paper they're producing their paper products and everyone really cares that their paper is sustainable well these companies are being held hostage right now by third parties that are charging them a fortune to stick the green seal of approval the outside of their packaging and so they end up having to comply with a bunch of different regulations or rules or processes that don't really apply to their exact niche or exactly what they're doing doesn't really prove that there any more sustainable and yet

they're being held hostage that they you know they cannot sell into this market unless they get some sort of thumbs up saying that they're producing their paper in a sustainable manner well what if I said this earlier what if all of a sudden now companies could put their entire supply chain in a manner that was visible so that people who cared about sustainability could easily audit every single process that they're doing and trust that the product that they're buying is green without having to look for some specific logo on a piece of packaging pretty cool people believe it to be encrypted mathematically sounding and immutable it is more secure that is true but I added those caveats earlier

and those caveats are very important and I'll hit on those again in a second people also believe that it can protect from attack and protect private information and prove the truth so this kind of bridges trustworthiness with digital assets so we see so much stuff fabricated all over the Internet today this brings Trust to what you see because you can audit it's its origins so I'd like to talk through a few of my favorite examples of how blockchain is being implemented in enterprise settings and so this one this first one that I'll talk through is actually something I've got to witness almost firsthand two weeks ago at the blockchain Revolution global conference in Toronto thought was

really neat so we had up there on a stage sworn enemies it was FedEx UPS and DHL sitting all there next to each other and they were talking about how they've teamed up with hundreds of other people in the transportation logistics industry to try and solve a variety of problems that they've spotted currently and I didn't know this I was not as familiar with the industry I don't know if you know that systemically a lot of these guys rely on each other to move packages throughout their systems so if they're in the business of delivering things FedEx may actually have UPS take one of their packages from point B to C and then UPS might actually have DHL then

take that package from C to D all then to be delivered back to a FedEx guy back to your door right it's a very cool mingled industry and with that the data associated with tracking packages throughout that entire movement process is really really messy so that was just kind of a pain point that was a point of the inefficiency up until a couple of years ago when someone was trying to launch a some sort of terrorist plot where there are shipping bombs and setup on printer cartridges and the Department of Defense came to them and said you guys need to track down every single printer cartridge in your entire network and they go that's stuff we got a lot of

different systems of record here that we're trying to track things down and oh yeah the stakes are really high because if you don't get to them soon enough like these things are going to blow up right so that prevented that that presented a terrific burning platform for these guys to band together and say well look this is probably not the first time this has happened it certainly isn't going to be the last time this has happened if we can't solve this problem among ourselves in a tiny manner then the government's going to solve it for us and they're going to implement some sort of crazy regulation and I don't know if you guys have tried to to to

comply with regulations implemented by the government before but they aren't always done with the level of expertise that a practitioner with hope they were the level of care that practitioner would hope they put in to developing some of these regulations so a lot of times they're very disruptive and they're very expensive to comply with so this is an awesome example of sworn competitors caught up in a what they were calling co-op petition it was an awesome order and I think it's a great word to keep in mind as we at other use cases for blockchain the concept that yes we're competitors yes we all want to beat each other but we also understand that there are some

problems that we are incapable of solving alone and if we can find a way and a medium for us to lay down our swords for a little while and we can actually cooperate we can actually really implement some amazing change so pretty cool use case I was proud of them to see that that was uh that was definitely new one for me also had the amazing luxury of speaking to the CEO of a company called suite bridge is a company based in Arizona and these guys want to rethink the entire financial system and this is a pretty audacious effort and I really want to abstract this from cryptocurrency because this is not a cryptocurrency company basically

what they've done is they've looked across all of these different companies in the world yeah you guys if you guys we're for enterprises you have your full finance teams you have your full accounting teams if you ever looked at their processes and their systems and everything that they do there is an enormous amount of dysfunction in there and none of the systems really talk well to each other largely because of a really big data governance and data normalization problem so these systems were implemented to do one thing but they really need to talk to something else and do something else and they don't quite do that very well so then you have all these jobs created all

these middlemen that have to just manually transpose data from one system to another or manually interpret data from one system to another well that gets even worse as companies begin to try and exchange value so now all of a sudden we're transacting and I sell you a widget right and it sits on my books one way and it sits on your books a different way and those ways may not line up depending on what systems they're run through and who is interpreting the accounting as it was all happening now this would be a really hard problem to solve though because there is a massive data normalization problem so what these guys are trying to do is solve the puzzle of data

normalization in the financial services in the financial world not just in financial services but specifically as it applies to enterprises in general anybody who wants to be able to make all their systems not only talks to you mostly but also talk across company lines to other company systems as well kind of a great ERP and sky if you will so it's a pretty audacious goal it's been really impressive the work that they've been doing they unlike a lot of the blockchain companies they've been working most closely with lawyers and accountants which is pretty crazy because almost everybody else is developing their stuff with either really good marketing guys or actual developers hopefully so it was

definitely impressed with the conversation that we had with Scott Nelson a suite bridge I have three more examples that I'll run through pretty quickly here if I can get the slide to change first in healthcare so MIT Media labs has created an interoperability from the interoperable so that's a tough word to say an interoperable blockchain that tracks patient medical data so it allows you to go from one doctor to another and easily and seamlessly bring with you all of your medical records so that they don't have this whole thing where you show up in the ER and they go I don't know you know what pills does he take I don't know what medical conditions is he take I don't know this

is a really big problem right now and it's inhibiting people's ability to receive quality medical treatment quickly especially with time counts and so it's pretty cool work that MIT Media Lab has been doing to implement in this this blockchain to track people medical history for them in a private manner supply chain so this is one that we heard about quite a bit in Toronto two weeks ago so Walmart has teamed up with Tsinghua University in China to bring credibility back to food supply chains so there's this really big problem especially in China right now where the product we think you're buying isn't necessarily the product you were buying and sometimes that's just kind of funny

and whimsical and inefficient and oh darn maybe I got a few bucks sometimes though it's it's life-threatening and so there are some legitimate medical risks that can come out of eating counterfeited foods or maybe foods that weren't transported a safe and secure manner cold chain is a really good example of this and cold chain sounds like a block chain thing because it has the word chain in it but it's not it's actually it's a transportation logistics thing you guys are cold chain transportation before no Sokol change transportation is actually really simple concept it's basically just the premise that food needs to be transported from point A to B to C to D to e at a certain temperature it is

literally a cold supply chain very simple concept but what we have here is kind of a complex web of 10 15 20 30 different participants that all have to be trusted to actually transport that food from point A to B to C to D he handed off to each other on time before the expiration date and O they also have to keep it cold the whole time well so all of these guys are separate companies they're low trust or you know medium trust third parties and they're actually incentivized to cheat because it's actually very expensive to keep something refrigerated for that long a period of time especially if you hollering across the desert or whatever

and so this is a terrific example of how blockchain can bring trust to the situation how we can actually track the temperature that and that food was stored throughout the entire supply chain and to end and validate that the food that was being transported was the food that we intended to transport in the first place so pretty cool a lot of great work being done by IBM and Walmart and sing while University in food trust and I definitely yeah good I just would like to understand the math behind that if that's possible so if I'm in a truck driving across the desert today and I mean other people right so you might be broadcasting your sensor data out there

right exactly so what you're creating there is effectively a consortium so kind of like how we say Bitcoin everyone in here can be a Bitcoin node right and everyone in here can validate each other's transactions what we're talking about here in the supply your supply chain use case is a little bit more of a consortium application so we've got maybe 20 or 30 or 40 or 50 trusted nodes on here we know who these companies are and they're all want to take turns validating the data through some sort of consensus like the chain was about 8 pieces right yeah ok so then finally insurance and this is a really cool use case because this is actually something

that you guys can mess with today if you would like so there's a company called AXA out there and this was pretty neat actually just not about this one that's we're going to go they've released a insurance a travel insurance product called fizzy it's really neat so if you guys have ever traveled before which I'm sure all of you guys have then you've probably had convenience of being delayed or having your bags lost or any of those things it's just a fact of life when you travel for work a lot of the airlines will either offer to sell you travel insurance to recoup your losses should you incur any and get that go to lunch for an extra 30 minutes because

your flight was delayed a lot of times though it's kind of difficult it's it's a pain in the butt to collect those losses after it's actually happened and a lot of times they still ask that you submit proof that you actually incurred those losses which is kind of another thing so you end up having to put paperwork together as though you're filing to some sort of larger insurance claim and so this is convenience that you're getting is really not that convenient all together so through the creative use of smart contracts access product fizzy is pretty cool it allows you to go in and purchase insurance for flight all that flight information is out there publicly accessible and

they've got a smart contract sitting out there and that smart contract is tracking your flight and if your flight becomes more than two hours delayed it immediately triggers a smart contract and sends you the money it's factual right your flight was factually delayed and so what you're insuring against is the losses that could you could incur in the event that your flight was delayed by more than two hours so it removes all these processes of you having to go and file and prove and all this stuff and it's instantaneous there's no phone calls there's no following up with anybody you just get the money pretty cool concept so how do you implement blockchain and enterprise well it's a messy process and

unfortunately that's because a lot of enterprises project plans kind of look like this so there are some really important fundamentals to focus on and we're actually talking about this earlier that you're a secure developer right you guys are security practitioners you understand the value and building things secure from the ground up blockchain is no different it's really really important to focus on the fundamentals and it's actually really difficult to do with watching it here's why a lot of times this is a controversial project that you're gonna put in a company maybe you've only got limited support you've got limited funding and so you as a person implementing this project are under a lot of pressure to

show value really quickly a lot of quarters are cut a lot of people are doing whatever it is that they could possibly do to get their product up and running you get their prototype going and then up the prototypes built let's just throw some production data in there right not good practices and so what I would challenge you guys to do is be the voice of reason in your companies as which is not always easy to do depending on the nature of the company but as blockchain starts creeping in and as you start seeing these use cases be developed trying to around two people and say look there can be some merit to your idea I'm not saying anything

otherwise but do not forget the fundamentals right we're only as weak as our weakest point here a lot of it comes down to basic secrets management and I don't mean to belittle secrets management by calling a basic because I understand that it is an entire field of study to which many people have devoted their entire lives but just like you'd manage secrets anywhere else in your organization you're watching is only as secure as its secrets and if you're relying on secret keys for people to be able to unlock functionality associated with the blockchain then your watching is only as secure as those people's ability to keep their secret key secret just like anything else that

you'd see in your enterprise so what does it look like to stop the bad guys this might look familiar to you guys because this is pretty much what it takes to stop the bad guys everywhere else as well we're seeing that the same processes associated with securing the blockchain application are the same and that it would take to secure any other full stack application within our organization so you've got a heavy code review we do you know we add a crypto and math analysis in there as well we think that that's really important which seen some instances of people being able to pay themselves infinitely and crazy things like that so yeah half the math

looked at by a math guy basic pentesting audit coverage you know inspect the full stack architectures make sure that it is really designed with security in mind and then build on existing tech so just because this is a new and innovative technology doesn't mean the whole thing has to be built with new and innovative technologies you know you're taking a big risk by implementing something like this perhaps why take such a big risk by implementing every single thing else that's unproven so you guys have certain technologies that you can trust that you can rely on that you know how to implement well keep that in mind as you're building out your architectures all right the final couple thoughts what

is next for blockchain so these are a couple crazy headlines that we've seen so far most of them are associated with the legal problems with watching here in the United States but it really is global so I don't know if you guys realize this right now but the securitization of physical assets is largely illegal in the United States and so when we start talking about a platform that allows you to tokenize assets and shred them and loan them and borrow against them and all sorts of stuff like that it's actually illegal in a lot of places and it's a pretty big issue that can be destabilizing for a lot of companies that are trying to

build in this space so right now there are I think it's 13 states in the US that have created what we call blockchain sandboxes basically they say up to a certain dollar amount we're going to allow you to do this stuff that would be illegal otherwise as far as tokenizing ass loaning against them and all sorts of stuff like that we will you know we're not going to turn a blind eye but we're going to allow you to prove its business model while we start to understand the technology and we can legislate a little bit more so that's actually very sensible approach it's a new fuel I know that there's some awesome blocking sand boxes out there both within the United

States and outside the United States Phoenix Arizona's a hot spot for that outside the United States the Isle of Man is trying to become crypto island which is pretty cool so they're they're working on you know bringing all the cryptocurrency and all the the blockchain companies out there to try and improve their concepts so everyone is really in this space race to try and be the place where it all happens but they're also not just completely opening up the books to let it all happen immediately so that's what's happening yes yeah so you're not always able to just secure physical assets because if securities are pretty heavily regulated right there's that there are a lot of

things that you can abuse consumers and you know like monetary basis you know like securitization learning and borrowing can be a pretty destabilizing force and there's a lot of opportunity for abuse with them and so there are a whole lot of rules associated with that and what these come you know what these governments are doing is saying look you can loan up to $250,000 and we're I'm going to say a thing right it's okay for you guys to load ups $200,000 now you guys are going to become billionaires by loaning $200,000 but you're gonna prove that you're a viable business maybe you can go get your venture capital funding and while you're doing all that we're

gonna see that you're not abusing people you know you're not taking advantage of people who are is that is educated about the technology or about the math and that it's ultimately secure that this isn't going to collapse in some sort of dreadful you know security incident

that's a terrific question you know a lot of our research has been pretty fragmented in that we haven't really found a cohesive system of record where we could go in and to see the the current laws of you know the blockchain industry every where you go but one of our offerings and I you know I'm not here to talk about our offering is one of our offerings is to help people roll out their idea to a sandbox and so a lot of that does tie in the legal component of it and a legal technical and security you know we we expect them to own the business viability of it but it's a it's a tangled web right now and it's

constantly evolving so even by the time you get a document and it seems to change so it's unfortunately if the best answer I can give you yeah there's a big blockchain organization in Atlanta if you find them I can talk to you afterwards and that would be the place to go in and find the contacts and it's actually yeah one of the coolest things about blockchain is the blockchain there are some amazing meetups around you know you get a lot of really passionate people in one direction or another it's a pretty fragmented right now across different technologies but the community has end up being pretty supportive of the concept in general they wanted to succeed they've just got very different

passionate ideas of how the success will be executed but it's it's definitely been really neat to see I've got to go to some meetups around just some folks at different conferences and it is a supportive community so the future of blockchain where is the industry headed there were kind of three things that I've seen so far one is standardization so enterprises don't want to be the ones to implement a technology that ends up replaced by a different technology they don't know which horse to bet on and so we've heard this from a lot of c-level executives so far in the enterprise they say look we think that your ideas have merit we think that they can solve some

of our problems but I'm also not going to give you a million dollars because I don't know if your technology is going to be around at six months totally legitimate problem and so what the industry is airing towards is standardization and a lot of the the blockchain platforms right now are teaming up in an awesome display of guapa tician to try and standardize a token format so that tokens can easily be transported across platforms and that might one day ease the overall standardization burden associated with rolling out a new technology but we see this with every technology right there's always a footrace to try to be the one who wins out it's a messy process but

someone always ends up winning and it still hasn't happened yet though but we're getting closer scalability so I mentioned the energy consumption issue earlier on the fourteen point seven days of electricity that it takes to process every transaction that obviously has to be fixed and so a lot of the blockchain platforms are implementing what they're calling level 2 solutions it's it's the idea that is can we take some of these transactions off train and still provide a degree of trust and so to just give you a brief understanding of how like one of those works so Bitcoin lightning for example says ok well there might be instances where two people are really transacting with each other pretty

frequently there there isn't this lack of trust around completely so let's say Izzy and I are going to transact maybe 10 or 15 times over the next couple of days what we're going to do is we're going to write and sign each other transactions it would be like if I was writing her a cheque and she would write me a cheque back and I read her cheque and we never took him to the bank but we were just writing each other checks so we would fund this escrow account this smart contract we would write each other these checks and then when we decided ok our business relationship is terminated then we would settle it and that would

be the ending balance actually get recorded on the blockchain so an interesting concept what that allows us for us to take a lot of the transactions off train off chain but still have trust in them it also brings a certain degree of privacy to the transacting because that way you don't know how many times Izzy and I transacted or what the exact dollar amounts were you just saw the ending balance which can be some some desirable privacy for folks so that it's a pretty cool concept definitely still not proven there they're in the development stage right now who knows if it will succeed or fail I know a theory ins got their own concept of it I think it's called plasma you

might know the theory of plasma okay we have pretty sure it's called plasma either way though there's this whole conversation of second layer solutions to try and make the network more scalable and then finally and this is metallic you Terrans grand scheme his grand picture is interoperability he's the interoperability guy the tabut aaron was the 19 year old that invented aetherium and he's now I think he's 24 25 pretty amazing guy absolutely brilliant and his whole vision is a series of block chains connected to each other and what that means is that you have to be able to do something like standardize a token so that if I you know if Izzy and I are transacting on

one chain and then I want to go over here and I have this ending balance and I want to transact with her on a different chain I have to have the ability to do that and that requires a certain degree of standardization so that's those are kind of the three places where people seem to think that the industry is going and we'll just kind of see over the next year or two as these really unfold because some of this technologies will succeed some of them won't so I'll start to wrap up here I realize that I've got about five minutes so transformational potential is amazing for this technology it is not a silver bullet some barriers definitely need to

be overcome before this is really going to be able to realize its full potential I mentioned the scalability I mentioned the regulatory hurdles the immutability or the security component is definitely going to become a bigger and bigger talking point as technology matures overall this is restating the points from the beginning blockchain will not solve all of your problems but it does some things very very well it has the potential to disrupt a lot of different industries and as security practitioners you guys need to be prepared to advise your businesses accordingly and be that voice of reason to say look there is some merit to what you want to do here but do not forget the fundamentals here are

some of the value propositions that we talked about and you know the key one being that it can help prove the truth it's this really important concept right now so I'll go back to this quote that I opened with you guys taught me all right he didn't say this but yeah busted shoot it's not always this easy though think about everything that you guys have seen in the press all this become a hotfoot but an issue right now the whole concept of big news it is becoming more and more difficult for people to understand fiction from reality and it's it's like a it's almost a battle of good versus evil in a sense because it's a very

difficult issue right now especially and we're stuck in the paradigm of the Internet of information where things can be so easily fabricated and disseminated without validation but what blockchain really does is help resolve this chasm that exists between truth and trust and like I said it's probably not a silver bullet there are a lot of other things that have to happen before we can stop the spread of fake news or before we can solve all the other world's problems but the way I see it this is a fantastic tool that puts us one step in the right direction so guys thank you very much for your time and your patience I definitely appreciate it I hope you guys

have a fantastic conference and a great rest of your week [Applause]