Yaiza Rubio: "The Internet has brought new and very worrying ways of espionage"

The woman with a powerful physique and forceful gait who enters the room on the 3rd floor of the West Building of the Telefónica District, the company's headquarters in the Madrid neighborhood of Las Tablas, was going to be an elite tennis player, left him for journalism and then left journalism for cybersecurity, although now he has left cybersecurity for the metaverse.

Not only does the internet run like crazy and peek over the 3.0 threshold, so does Yaiza Rubio (León, 34 years old), who rather gives the feeling of already going for 4.0.

At the recent Mobile World Congress in Barcelona, ​​Telefónica directors announced to great fanfare her appointment as

in roman paladin responsible for the metaverse, that kind of virtual and parallel world to which some —like her and her bosses— predict a golden age and which many see as a trend that reminds us of things already seen, like

the tamagotchis and in that plan.

Rubio was the first Spanish woman to participate (2017) in DefCON and BlackHat, in Las Vegas, two of the world's great cybersecurity events and surely the two great pagan masses of

from all over the world.

In the second, together with his colleague Félix Brezo, he presented OSRFramework, a set of free software tools that supported investigation procedures on the digital footprint of cyber identities with a presence on the Internet, with a view to detecting and identifying the perpetrators of cyber attacks, stalkers or terrorists.

Something like a

in short, quite concerned with the new forms of political and business espionage.

She is an honorary collaborator of the National Institute of Cybersecurity (Incibe) and a Medal of Merit of the Civil Guard, some of whose agents she has trained in intelligence analysis and cybersecurity.

She teaches graduate classes, participates in conferences, gives talks at schools and institutes and is the author of books such as

on it or

(Shackleton Books), which has just been published and in which it offers tips for the proper use of the Internet by children and adolescents.

Yaiza Rubio, Chief Metaverse of Telefónica, photographed at the company's headquarters. Gianfranco Tripodo

What is a journalist like you doing in a place like this?

The truth is that I never got to practice the profession.

I did my degree, and I did take a few steps as a sports journalist in

Well, actually, that's why I got into journalism, because of sports journalism, because I've been playing tennis since I was four years old.

I retired at 17 to study.

I'm not saying that it was going to be Rafa Nadal, but he competed internationally and in my category he was among the best.

So that was why: I liked the sports journalism thing.

So what happened?

I don't know, I didn't get it right.

Then my father asked me what else I liked, and I told him something related to security.

My father is a military man, and that vein was at home;

I was born on a military base, in Albacete.

We are from León, but my father attended the military academy for non-commissioned officers there.

Then they assigned him to Las Palmas.

I grew up in the military.

And his grandfather, civil guard.

That, too.

In other words, we already have three uniforms that she could wear and did not wear: the short tennis skirt, the military one and the Meritorious one..., all in all, to end up dressed as an executive at Telefónica.

[Laughs] Yeah!

In short, I started training in intelligence analysis, which was something close to journalism, because you analyze information, although from a different perspective and with a different rigor... The first internships after the master's degree were in a computer security company.

They needed intelligence analysts.

I was lucky, it was the moment when computer security was beginning to become more professional.

But I said to myself: "Wait, you can't stay here processing information for 7,000 years!"

I needed to learn to program, and I learned, until I reached a profile that combines analytical rigor with the technical part.

They are two very powerful worlds.

That in their profession they complement each other, I suppose.

Without one, the other doesn't make sense.

Exactly, there are very good forensic analysts, very good

analysts , etc., and they are the ones who bring the evidence of what has happened in an incident and generate hypotheses based on that evidence.

But if they are not well consolidated...

Well, and then, once the subject of intelligence analysis and programming has been controlled..., the magic word arrives.

You become a

Ha, ha, yes.

Word with not a very good reputation, but it seems that it is not very well understood.

Of course.

“

Of course.

“Being a

Of course.

In the end, a

has a specific technology and knows it so well that he is capable of taking it to the extreme.

It is about trying to exceed the limits and see if they can be applied towards evil or towards good.

When technologies are designed, they are made with specific objectives, but those

bad

A

is just that: trying to examine the corners, the edges of the technology, and see how it can be used.

I repeat, for better or for worse… that is what cybercriminals do.

A 'hacker' examines the corners, the edges of the technology, and sees how it can be used ... for good or for evil

In your case, it's about putting yourself in someone else's shoes, right?

In other words, to act almost as if it were a cybercriminal… in order to detect the intentions of that cybercriminal?

That's it.

We have to get into the mind of the person who designed such a specific technology and at the same time into the mind of the bad guys to see if that technology can be used for malicious purposes.

And if the answer is "yes", then you have to discuss with those

or

designers so that they can improve the possible defects.

If not, users of that technology will be negatively impacted.

This is a bit like black witches and white witches…

Is the same!

In fact, in our terminology we speak of

and

[white hat and black hat].

I read a figure that sounded extravagant: 50,000 million cyberattacks in the year 2021 in Spain.

This could be?

Let's see, these figures must always be taken with tweezers.

Okay, but how is the situation in Spain in relation to other surrounding countries?

We have very well-trained security forces and bodies and public bodies, such as the Civil Guard and the CNI, and they have been part of the hacker community for a long time.

Obviously, we are neither the Americans nor the Russians, who have been in this business all their lives and have some manufacturers of milk safety systems…, but we have very well-trained people.

What can cybercriminals be doing to us right now on our mobiles?

Well, you sure less.

No, no, everyone, everyone.

The fan is infinite.

They can compromise the service that person is using, for example if that iPhone or Android has some type of vulnerability and the device has not been patched to the latest version..., and then the user is directly exposed.

Between the time the security flaw occurs and the flaw is detected, whoever wants to exploit that vulnerability can exploit it.

Is that time lapse a bit like the blind spot of visibility when we drive?

Correct.

Companies build software.

They believe that

is safe because it has been through many processes.

But there can always be something.

They haven't detected it, and then there comes a time when that vulnerability is detected internally or externally.

It is in this range of time when an exposure and vulnerability of the user occurs.

The end user is the weakest link.

Yeah, but no one is free here.

Not even Telefónica, which in 2017 received the

WannaCry

Effectively…

A sacked fortress.

How was that experienced?

It would be about eleven in the morning and they told us all that we had to disconnect from the Internet. And everyone home.

But with that a lot was learned, and not only us, but at the level of Spain.

Before

, we knew it was important for all of us to share information about our respective incidents… but no one was doing it out of fear.

arrived

and the first thing we did at Telefónica was share information with the rest of the companies.

Because Telefónica made all the headlines…, but there were many, many companies affected.

Returning to the ordinary user… Is privacy the new gold?

Both in terms of security and the business of buying and selling personal data, I mean.

Clearly privacy is the new gold.

When Google realized that its greatest income was going to come from creating a search engine and knowing what interests the users who are searching, it hit the nail on the head with its business model.

And that's what happened with centralized platforms.

But the internet is transforming, mentalities are already changing.

Around 2005 the big platforms were created, Google, Amazon, Facebook, Twitter… They gave the user tools to be a content creator, and that was great.

What those platforms did in that first phase was capture users.

The more users, the more valuable I am.

But there comes a time when they have to make their investment profitable.

And that way of monetizing it is to sell personal data.

But there are many security breaches and many privacy issues with the sale of personal data.

And now we are going towards Web 3, to decentralized platforms where the power and the incentives really belong to the creators of content and the users.

Privacy is the new gold.

Many security breaches are happening with the sale of personal data

Can you give an example?

Why can't there be a parallel platform to Spotify where musicians get all the profit from the pie, instead of the centralized platform?

Today they can take 3% from the creator, but suddenly tomorrow they can take 30%.

In these centralized platforms a very great mistrust has already been created.

How

I'm not here, we can't position ourselves much on this here... Let's see, Pegasus is still a

that someone has developed with clear surveillance objectives, and of course there is concern that this type of

could fall into the hands of governments or companies .

Anyway… why are we so surprised?

We can play naive, but governments have always spied on each other, and so have parties and companies, and members of governments to other members, and partners of companies to other partners.

And this does not seem to change.

Now… I understand that intelligence agencies have many interests in knowing what competing companies and other governments are doing, that has always been done.

It is true, there has always been spying, what happens is that now there are much more advanced and technological methods than mere physical espionage.

Internet has brought other levels, new and worrying ways of espionage.

Espionage, surveillance… is George Orwell's

still

Yes…, well, now maybe it's also

[a science fiction novel published by the American Neal Stephenson in 1992].

No, but 1984 is amazing.

I don't know how science fiction is sometimes capable of predicting in this way what is going to happen in 30 or 40 years, because in the end that book is not a dystopia: it is just what we are experiencing on the subject of surveillance.

You also write books.

Now he has participated in

It is something so necessary..., we must instill in them that technology is very good, but knowing how to use it.

Children—including teachers—do not have to be experts in these matters.

That Cybersecurity teacher at the Tramontana school who stars in the book... shouldn't it be a reality in schools by now and not fiction?

Well, it could be very interesting.

I don't know how realistic it is to have

in schools, but the truth is that this is a very, very important matter.

School bullying is already largely cyberbullying.

What do we do?

Well, for example, making children aware of WhatsApp and all messaging platforms, and making it clear to them that they are not walls of impunity, that there are always methods to identify those who are behind the harassment, and that, if they are detected, they can end very badly

There are people who believe that what we do on social networks has no real impact on the other, that we are simply talking to a computer or a mobile and that's it.

But of course it has an impact.

And that they believe that it will not have consequences.

And of course it has.

You are now responsible for the metaverse at Telefónica.

"Metaverse".

What a word…, by the way, everyone talks about it, but it's not sure that many people know what it is.

Virtual reality is fascinating, but that is something that has been around for a long time.

The metaverse has to do with these virtual realities, but above all with the evolution of the internet and its decentralization.

It is even argued that the borders between the physical and the virtual are increasingly blurred.

Aren't we going crazy?

LOL!

They say you can buy virtual plots of land.

And virtual clothes.

Sure, you'll want your avatar in those virtual environments to be able to dress, right? You'll want to customize everything.

Users want to personalize their experiences, everything.

Before, all mobile devices were black, but Nokia came along and said: "No, I'm going to put them in all colors."

We started customizing t-shirts and let's see what we end up with...

And eye.

Hey what, what's coming?

The NFTs.

That they have a property: that of scarcity.

Imagine that someone says: “I am going to launch a Chanel or Nike model, or a speedboat, but only one unit”.

And to see who gives more.

And that's why NFTs and all these digital assets are priced the way they are.

Because of that capacity for exclusivity and scarcity.

Ah, here we have already parked the technology to enter the fields of sociology.

Yes of course.

In other words: I no longer want to be myself, but other

Yes Yes.

Maybe because I don't like this one...

Hey, you don't have to choose an avatar that physically represents you, suddenly you can choose to be..., be...

Brad Pitt.

Well, Brad Pitt, for example!

Or a monkey.

Isn't all this a marketing roll that will collapse one day as it seems that cryptocurrencies are already beginning to collapse?

I do not think so.

Metaverse platforms aren't going to need a stack of engineers.

The platforms create the tools for developers and content creators to create their own experiences.

And that scales.

When anyone can create anything in these environments, it scales.

Because it will be easy.

People are going to want to be in the metaverse.

Why? What's good about it?

Well, as a user, you will be able to live experiences that a physical world may not be giving you. 

50% off

Exclusive content for subscribers

read without limits

subscribe

I'm already a subscriber