Afternoon Cyber Tea with Ann Johnson 3.5.24
Ep 92 | 3.5.24

Keren Elazari on the Hacker Mindset


Ann Johnson: Welcome to "Afternoon Cyber Tea", where we explore the intersection of innovation and cybersecurity. I'm your host, Ann Johnson. From the front lines of digital defense to groundbreaking advancements shaping our digital future, we will bring you the latest insights, expert interviews, and captivating stories to stay one step ahead. [ Music ] Today I am joined by Keren Elazari, known online as K3R3N3, also known as the Friendly Hacker. Keren is an international recognized security analyst, researcher, author, and speaker, working with leading security firms, government organizations, and Fortune 500 companies. Keren is also a famed TED conference speaker. Her TED talk about hackers has been viewed by millions, translated to 30 languages, and is one of the most watched talks on on the topic of cybersecurity. Welcome to "Afternoon Cyber Tea", Keren.

Keren Elazari: Thank you for having me, Ann. I'm excited to be on the show.

Ann Johnson: So you have this fascinating background as a security researcher, you're an author, you're a hacker for good, which we need more of, and we have a lot to talk about today regarding the role of cybersecurity in our society. But before we get there, I really want to go way back. I heard you first got interested in cybersecurity after watching the mid-1990s Hollywood film "Hackers". Can you tell our listeners today what from that movie sparked your interest in hacking and cyber, and what has kept you in the industry all this time?

Keren Elazari: Of course. That movie is a classic, and it's a big part of my own personal origin story, as it were. And dear listeners, if you haven't seen "Hackers", 1995, after this podcast, go ahead and watch it. It is such a great ride. It's so much fun. The music, the fashion, the characters, everything about it captured my imagination. But there was one character in particular that really got me to where I am today, and that's the character of the high school hacker known as Acid Burn, the fierce young woman portrayed by Angelina Jolie. She was about 18 or 19 at the time, and she was portraying a high school hacker kid, maybe 16, 17 years old. And I really fell in love not just with the hacker world that I saw in that film, and all of the cultural, ideological, and even visual elements of it. I really fell in love with the idea that this one dominant, charismatic woman, young woman, can become an unofficial leader for a group of hackers, which is part of the storyline. I don't want to spoil the plot for those who haven't seen it, but I was really empowered by that. I saw a woman whose fascination and curiosity with technology was like my own. I saw a very charismatic lead actress portraying that role. I really fell in love with that idea. And I was already hacking, when I saw that movie. When I was seeing hackers on the screen for the first time, I was already interacting with hackers and learning about how the internet worked in those early days of the mid or early '90s here in Israel, where I'm from. We only got access to the internet commercially in 1993, so I had a couple of years to experiment and play around. I didn't realize it was called being a hacker. When I saw that movie, it gave me an image, an ideology, a culture, and an incredible leading lady in the shape of Acid Burn, and that's really something. And you know, I credit her and that movie and everything, every choice that I've made that brought me to where I am today. I think that movie was a really, really big part of my path.

Ann Johnson: You know, it's so incredibly important for young people, young women, young men, to see themselves in media, in entertainment, and think about that. You're a real-life story of how that inspired you, so it's fantastic.

Keren Elazari: Yes, absolutely. And you know, when you look at that film, the group of hackers actually has a pretty diverse representation built into it. So there's one character that's almost non-binary. There's the character of the leading lady. There's the very clear character of the leading guy, and there's a whole kind of romance subplot. I don't want to spoil it, but there's all these different kind of background characters that are part of that hacker universe that we see. One of them maybe has a Latino background. One of them is African-American, and there's a group of maybe Korean hackers that they collaborate with, and then we also see something that really captured my imagination. There's a montage of hackers around the world working with those hacker heroes of the main plot, and there's all kinds of different characters, all kinds of different people that are part of this hacker tribe. So for me, growing up in Israel, although I haven't met any hackers in the real world, by the time I saw that movie, I was able to relate with that and say, aha, these kids are not just in New York City. They're not just in London or Berlin. They're all over the world. There's hackers everywhere, and I can also be part of that global cultural phenomenon, maybe even a counter-cultural phenomenon, if you will. And that's something that really played to my ideals, if you will, of looking to find my place on a global platform or in a global context of hackers. So the movie really did a good job for me. And you know what? I'm pretty sure there's quite a lot of people who became security professionals because of that movie. I think there's a generation of us out there.

Ann Johnson: That's fabulous. Well, let's talk a little bit about your keynotes and your writing and what you call a hacker mindset. Hackers tend to get this really negative perception in media and in modern culture and even in the industry, so I want you to talk a little bit more about this hacker mindset, why it's important to understand the mindset, why it's important to understand it from a constructive and positive point of view, and what way can a hacker mindset help digital defenders protect data and systems?

Keren Elazari: Absolutely. So this is a big part of what I believe in. It's my passion to show the world that we can learn a lot from hackers and the hacker mindset. And there are many friendly hackers. There are ethical hackers. There are hackers who work for governments and corporates, and they're trying to stop the bad guys. And yet, the term hacker is so often synonymous with a bad guy, a criminal, a fraudster, someone who's malicious. The original hackers, the first hackers, maybe in the 1950s, '60s, and '70s of the previous century, they were the people who were clever. They were the people who were hacking around on model train and model rail systems in MIT and other campuses in the United States. If it wasn't for those people learning and developing the basic tenets of IP and other Internet protocols that we all use, we probably wouldn't have had an Internet that looked like the Internet that we have today, that is global, that is decentralized. So a lot of that hacker mindset, I think, stems or goes back to those ideals. And for me, it's about curiosity. It's about sharing the fruits of your knowledge, sharing your skill set. You know, there are more than a million friendly hackers today on planet Earth that participate in bug bounty programs, in vulnerability disclosure programs that use their time and their talents to identify bugs and vulnerabilities and report them. And of course, I know Microsoft was one of the first big enterprise corporate and software companies that had such a program in place in the first place. So now, it's a thing that all the big Silicon Valley companies do, but also maybe airlines and banks and Starbucks and so many big brands have learned that these friendly hackers out there can contribute with their knowledge now. And arguably, so many of these big household brands can and often do hire fantastic security experts. I know that you do. And yet the external point of view, the outsider point of view, finds things that even the best in-house security talent can miss. Maybe it's because of an organizational blind spot. Maybe it's because of a specific corporate mindset. The results speak for themselves. Each year, we see that individual, independent, outside hackers can identify problems in applications, in configurations, in networks, in all aspects of our technology world without being on the inside. So I kind of feel vindicated with that. I kind of feel like it proves my point that I try to make with hackers being the immune system.

Ann Johnson: Absolutely. And friendly or ethical hackers are very passionate people. We can hear it in your voice. You're very passionate about what you do. You're mission-driven, you're purpose-driven, and you have the zeal for finding flaws that makes the entire ecosystem of cyber better. Do you think that there's this general misunderstanding? And when you talk about the hackers, so we talked about the misunderstanding, but is it one of your purposes just to try to educate even the broader non-cyber community about the good work that friendly or ethical hackers are doing?

Keren Elazari: That's definitely a part of what they do, for sure. It's about education. It's about awareness. And it's about showing people that we can learn from hackers. And you know what? We can even strive to educate our kids to become hackers because that's a great idea for our kids' future because that's not just going to be a lucrative job. It's going to be a really powerful skill set for our kids' future. So that's one thing I'm really working on. I also spend a lot of my time, about 30% of my time, with nonprofit organizations that I either started or support. One of them is B-Sides TLV, which is the local chapter here in Israel for the security B-Sides community movement. It's a framework or movement of community conferences led by security researchers and hackers, organized by hackers, completely volunteer run. Our B-Sides here in Israel has been running for nine years. I'm very proud of it being the primary stage for any up-and-coming cybersecurity researcher or friendly hacker to present their work in a way that is not commercially driven, but rather it's just to share their knowledge and their understanding and their insights. And I think that's so crucial. I also spend time with a community I started called the Leading Cyber Ladies, which is now more than a community. It's a network. We have more than 3,000 ladies around the world in North America, in Europe, in Tokyo, Japan, and of course, here in my hometown. And all of these ladies are collaborating, are offering their advice, their insights, their ideas, job opportunities, increasing representation in conferences and in podcasts and panels and media. It's a big part of how I hope to bring about more general equality and representation in our world. I do what I can in the cybersecurity ecosystem. So these are things that I'm very passionate about. And I also put my time and my efforts into that, educating the larger population about how hackers can contribute, but also speaking to how we can continuously build that friendly hacker ecosystem and our workforce by bringing more people in, by creating more equality and representation in our industry. These are things that I'm very passionate about.

Ann Johnson: That's amazing, and thank you for all the work you do. Let's pivot and talk a little bit about what's going on in the world today, starting with the threat landscape. Yeah. So as a security researcher, what are you seeing in the way of emerging threats? And is there anything new or noteworthy that you're particularly concerned about?

Keren Elazari: Of course. So researching new and up-and-coming threats, that's really the fun, fascinating and terrifying part of my day to day. So I spend a lot of my time researching new practices, new techniques, new things that cyber criminal groups or nation state adversary groups are developing. There's a couple of key things that I want to highlight. So firstly, I don't know if you've discussed this in the podcast or not, but this year, 2024 is a global marquee year for democratic elections around the world. I think about two or three billion people will be voting in between -- it's probably about 30 countries. So it already started in Taiwan and it's going to be the American elections at the end of this year, the United States elections. So in that year, in this year that we have right now, we have a lot of up-and-coming threats that we need to consider. And the number one thing, the threat that connects a lot of the threat actors is that while the attack might take form as a fake video or it might be a phishing email or it might be a bogus application that tells you, allegedly tells you where your voting station is, but in effect, it's something else. But the one thing that's really common to a lot of these potential threats, attacks on trust. It's basically trust that's now the biggest stakes of them all, if you will, because it's trust and it's trust that people place in the democratic system itself. And it's a really big deal right now to look at how people can't trust a video. They can't trust a phone call. They can't trust an application. This, I think, is perhaps one of the biggest challenges we have in our industry to be able to use technology, but also the human element of things, psychology, if you will, to help reestablish trust in light of all of the technical capabilities that allow bad guys for their purposes to take advantage of the current situation. So when I say the current situation, I'm speaking about the fact that so many countries are going to elections and that creates a really ripe, volatile environment where bad guys can really come up with all the things I mentioned, malicious apps, phishing campaigns, fraudulent videos, et cetera, to their own purposes, for their own purposes. So that's a really big deal, I think, that we should discuss or our industry should be doing more about.

Ann Johnson: And we should discuss it a little here. So let me ask you, how concerned are you about the maturity of deepfake videos versus the maturity of deepfake audio? So we had our first attack in the U.S. where there were robocalls during the New Hampshire primary, encouraging voters to vote, telling voters the voting day was a different date than it actually was. And my theory is that audio is going to be a really big concern in the cycle, but I don't know if the videos are good enough. I would love to get your perspective.

Keren Elazari: Of course. So incidentally, we just had a discussion on that this week with the top researchers at Tel Aviv University, as we had just hosted Tel Aviv University's AI Day, and we had a full day dedicated to discussing this and other implications of AI technology, not just deepfakes. I think right now, to be honest, and perhaps to scare the audience a little bit, it doesn't matter if the algorithms for generating video are not perfect, because they're already fooling people. What I would love to see out there and what concerns me is not the maturity of the deepfake generating video or audio or images. What concerns me is the lack of maturity for systems to prevent those fake types of medium from taking hold. And the reason it's so difficult and the reason perhaps an audio is such a big deal is that while video, we might see video on our phones or in our computers, but audio can reach a whole slice of the demography of the population that doesn't really watch videos or doesn't go on TikTok or Facebook, but they do receive calls. So that's why audio is somewhat scarier. And that's, I think, part of what you've experienced in New Hampshire. So audio as a vector reaches a much broader audience. What I'm concerned with is the maturity of the systems that can detect and deflect these types of bogus medium, whether they are images, audio, video, or generally even just fake identities and bots. And there are a few solutions out there, a few technology solutions. And there's even a few, a couple of Israeli companies that are early in the race to try and defend against the malicious applications of AI with deepfake generators and trying to identify them. That's one thing that concerns me. I don't see that the technology out there -- I don't see adoption, wider adoption of that. And I think until such a time that people understand in the same way that they needed to have maybe an antivirus on their computer or maybe they need to scan a document or look at the address field in an email, now we're going to have to kind of go through an extra step perhaps to filter out some of the media that reaches us, whether it's by audio, by video, or any other medium. I hope that makes sense.

Ann Johnson: It does make sense. Yeah. Well, it's scary, but we have to deal with reality, right? And the technology to detect is decent, but it has to be more broadly deployed. We also need to go on a wholesale education campaign because this is going to hit the average citizen or the average consumer.

Keren Elazari: Oh, it already is. It's not going to. It already is.

Ann Johnson: Yeah.

Keren Elazari: You just mentioned what happened in New Hampshire. And for us here in Israel, we saw a lot of attempts and manipulations and changes to media that reached a very broad audience, certainly in the last few months following the October 7th attack. So it's something that's already reaching a lot of people. It's not really a cybersecurity problem per se. It's become more of a global safety problem, if you will.

Ann Johnson: Exactly. And from a global safety standpoint, both governments and the private sector need to get together and make sure that we're both educating citizens, but also deploying the technology to detect and prevent these type of attacks. It's a big topic. We could probably do an entire episode on it, but I am going to pivot and talk about small to medium sized business, because small to medium sized business, particularly sectors like health care, which are focused on delivering, obviously, patient services and aren't -- you know, they don't run on incredibly high margins and they don't have massive cyber teams. These small businesses are really under attack. What advice would you give those folks who are just trying to keep their small business online? What are the fundamentals you think they need to do?

Keren Elazari: So, you know, from my perspective, this relates directly to the previous topic we discussed, because there's really this assumption in our industry that the small people don't matter that much or the end users are the weakest link. There's a few different assumptions I want to tackle right ahead. I personally believe that it is smaller organizations and the end users, the people on the keyboard or the people downloading an app or the people making a decision every day, these are the people that we need to empower. And when I say we, I mean the technology industry. I certainly mean companies like Microsoft. I also mean friendly hackers like myself. We need to empower people to be able to be on the front lines because that's where they are. If they are the ones that are receiving the phishing emails, if they are the ones who are clicking or downloading or installing applications, if they are the ones whose networks are unprotected and become the first stepping stone for an army of cyber criminals, we need to empower our first line of defense, not call them a weakest link or the smaller fish maybe in our ecosystem. And there are a few ways to do that. So one of the primary means to make a small or a smaller organization more secure is by getting everybody on board. So making cybersecurity something that is part of their daily lives. It might be even by screensavers. It might be by creating phishing competitions. I don't know if you've heard this one. I've seen a couple of smaller organizations do this with great success. They created a weekly Phish Bowl competition where employees had to submit an email they thought was phishing and the employee was able to identify the most legitimate looking phishing email, but they didn't fall for it. They submitted that. They reported that. That employee won a prize because they caught a big phish. Right. That's a very low-cost initiative that any organization can do to educate people about the threat of phishing. No technology required, except for maybe having a point of contact to submit and report the phishing emails to. So there are things that can be done on that level, enabling and enforcing the use of multi-factor authentication, ideally multi-factor authentication that is not SMS or text message based. It's a great way to make your organization safer. The data or privileged account protection, the data on accounts that are protected by an additional form of authentication, ideally one like an authenticator app or a security token or a biometric measurement, fingerprint, face ID, other biometrics. The data on that is pretty clear cut. The improvement and the prevention of account takeover in such instances is really significant. So there are many services nowadays that offer multi-factor authentication, certainly most, if not all of the Microsoft services, but also even in our personal lives with our social media accounts, with maybe our shopping accounts. Pretty much every online service nowadays has a robust multi-factor authentication or additional two-factor authentication option. And not enabling that is just making life easier for bad guys. So this is something every organization, small or large, needs to be on top of.

Ann Johnson: Completely agree. And by the way, I always say multi-factor authentication for every person that accesses your environment 100% of the time. I know it's a lift, but it's much less of a lift than it was 10 or 12 years ago because it's become very frictionless with biometric authentication and different technologies that are in place and authenticators. And people just need to get into that practice of using it. And it's the same as, you know, in the U.S. I say it's the same as using your ATM card with a PIN that people are very familiar with or for the generation that my daughter is in, logging into your smartphone with your thumbprint or your face. It's just something we can extend and people will understand. Let's pivot again and talk a little about artificial intelligence. Obviously, we can't get through any conversation right now without talking about generative AI. What do you think are early cyber defense use cases and what scenarios are you seeing that give you optimism for success?

Keren Elazari: Sure. So I feel like we can't get through a conversation today without speaking with artificial intelligence. So, you know, they are everywhere. The different chat aspects of ChatGPT and other aspects of generative AI and artificial intelligence agents are really everywhere. What are the use cases I'm positive and optimistic about? Well, it goes back to what we discussed earlier, using AI to detect AI generated threats. So using AI to better verify identity and veracity of media, whether it's images, video, audio, et cetera. I think that's an area where we're seeing a lot of really great technical breakthroughs on really the ability of algorithms to be much, much better at identifying specific humans and differentiating them from other humans. It's also a little scary, but it can be to our benefit, especially if we consider the fact that we need to counter a lot of unhuman activity out there or inhuman activity out there. I see a lot of cybersecurity companies that have to use AI in the sense of machine learning, but they're also bringing in generative AI and large language models into the front end of their products. So what do I mean by that? I mean, giving the cybersecurity analyst sitting in the security operations center or even giving the CISO the ability to communicate with the organizational security system with the enterprise wide different security products that they might have, whether it's a firewall or endpoint detection product or any other internal cybersecurity system. Giving those CISOs the ability to engage with those tools through a chat interface, if you will, through a conversational natural language processing interface, allowing people in the SOC or in the leadership position to just chat with their security systems, asking them, hey, are we vulnerable to CVE such and such? And then that front end, that LLM will be able to parse that question, understand, okay, we need to run a query with our vulnerability scanning or our attack surface management product to understand whether we might be vulnerable to this CVE, which pertains to this and this particular database in that particular version that we might not have updated in this particular server from. So breaking down all of these tasks is something that generative AI tools and LLM tools can do if they are taught to do this step-by-step programmatic thinking. So it's going to be kind of like LLMs that are specific to the cybersecurity use case. And it's not even just a cybersecurity use case. It's more like the cybersecurity orchestration use case where the one analyst can be able to speak or communicate with all of the different systems that they might have through a potential LLM or generative AI model. So that's one particularly interesting use case. I recently saw not quite a demonstration, but a proof of concept architecture for something along those lines. I think that's pretty cool. I think one of the reasons that's going to be helpful for companies, it's not going to replace humans in the SOC. It's going to enable the humans to look at really more complicated, more complex, more intellectually challenging tasks. And it's going to allow companies to bring more people in without requiring people to have maybe 20 or 50 or 30 years of experience or five years of experience. It's going to allow companies to bring in people based on people's skill sets and capacity to work tandem, to work hand-in-hand with these types of systems, not based on their experience. Like people are not going to have to have the kind of experience I had hacking in the early '90s, you know, hacking early web applications and PHP code myself. The next generation of security professionals is not going to have to have that kind of skill set at their hands. They're going to need to have the skill set of being able to work with the cybersecurity AI systems. And that's ultimately maybe a good thing because it allows us to broaden the amount of people that are in the industry. And hopefully it will create a safer organization or a more secure organizational environment.

Ann Johnson: Can we talk a little bit about skilling? There are a lot of people, younger folks or even career changers that are thinking about a career in cybersecurity. And we certainly have openings in the field. What do you think are skills or even certifications that people need in order to pursue a career if they're just getting started?

Keren Elazari: That's a great, great question, Ann. Thank you for bringing that. So do you need a certification just to start just to get the first step in your career path in cybersecurity? I don't think that you do. You don't have to have a certification. Of course, it helps. But learning and understanding how things work and having the capacity to learn, having the capacity to adapt and understand that the way enterprise systems used to work five or 10 years ago is not how they're going to work in the next two to five years. And the way cloud instances work is something that's changing. Having that capacity to follow and understand the technological change in the infrastructure that most organizations have, I think, is a really key quality. So it's not necessarily about getting this certification or that certification. This goes back also to the hacker mindset. Like I said, I started as a hacker in the '90s. Technology has had three decades to evolve since then. And so many things are happening. I have to keep fresh. I have to stay on top of what new technologies are out there. I believe that's part of the hacker mindset. I believe it's part of what keeps me young and engaged in this industry, because every week there's something new for me to understand and learn. So this is something I believe people should have. They should have that really passionate thirst for knowledge, for applying new skill sets. It's not about like a one and done, I got the certificate, now we're going to work in the industry and that's what I'm going to do for the next 10 or 20 years. I think that's maybe a mindset some people might have. There are some certifications that might be better than others. But I really recommend building that mindset before you even consider certifications. Now, another thing that's key to talk about when we speak about skilling and organizational or the talent shortage, if you will, is that part of what I think newcomers to our industry at any age can find daunting is actually the fact that you can be 50 different types of cybersecurity professional. You can be a malware reverse engineer. You can be a security system architect. You can be a security operations analyst in a SOC. You can be maybe a web application security expert. You can be so many different things. And I believe that's one of the challenges for us, again, as the industry, to make that kind of knowledge more accessible and explain, look, here's like a couple of the main buckets that are out there. Maybe you're more into cloud infrastructure. Maybe you're more into applications. Maybe you're more into math. And then maybe you go into like the cryptography side of things, helping people just understand what are some of the major buckets that exist in the cybersecurity world. And one of the key misconceptions that I often see in this field, for example, I speak with computer science students a lot, especially young women who are studying computer science and they say, you know, Keren, I'm a really bad programmer. I'm not a great programmer. How can I ever be a cybersecurity expert? So I admit I'm not a great programmer either. The code I wrote mostly just broke things. But that's okay. Right? Because you don't have to necessarily be the world's best programmer in order to be a security professional and even not right now, because we are really living through the no-code revolution. I don't know if you've heard that term before, Ann, that people are talking about, no-code or low-code. And, you know, I think it's significant. People don't have to be programmers anymore if they want to be cybersecurity experts, unless they really want to do malware reverse engineering and they really want to, you know, breathe and eat and drink code every day and machine code and they want to disassemble code. Okay, and that's a specialization that people can pursue. But I really think we need to help people unpack these assumptions, like the assumption that you have to be an amazing computer science student and programmer and maybe the best in math in order to be a cybersecurity professional. I don't necessarily think that's the case. I think that's an assumption that we can toss out the window, frankly, certainly in the no-code, low-code age.

Ann Johnson: Fantastic. Yes, we're doing a lot of work with no-code, low-code. And we'll talk about that probably on an upcoming podcast. But I know you have a lot of irons in the fire. What are you working on right now?

Keren Elazari: So naturally, I'm planning for B-Sides TLV, our annual event. It's at the end of June. If any listeners are keen to come and visit us, please join me in Tel Aviv during Tel Aviv Cyber Week. It's the last week of June. Weather is guaranteed to be sunny. I can't speak as to whether our situation will be safer. We all hope that it will. And it's one of the optimistic acts that we have partaken in deciding to plan and go ahead with the conference. That's something that's a big keystone event for me. I'm continuously working on the leading cyber ladies community activities. And I'm also working on my own research. In particular, what's really interesting to me right now is how bad guys are taking advantage of generative AI tools. And I'm researching the different interesting new LLMs that have been created by bad guys, such as WormGPT. That's one that's out there. There's a couple others. I'm really looking into how these types of models work, how they are created and how bad guys are using them for nefarious purposes. For me, that's the latest area of research. And it's part of what keeps me fresh, or at least I like to believe it keeps me fresh.

Ann Johnson: Fantastic. I really appreciate you chatting with us today. Despite the rise in overall cyber crime and this year that we're going into where there's up to be a lot of disinformation and deepfakes and other things that are a little outside the specter of cyber, but still tangentially related, I do believe that our cyber defenders globally stay one step ahead of the bad guys. We tend to really talk about the things that are in the news, but there's thousands of things you and I know that never make the news because we've detected them and we've stopped them before they become a large breach. So as we wrap up here, and I continue to profess my cyber optimism, I would love to understand what you're optimistic about.

Keren Elazari: That's fantastic. So firstly, I have to say, overall, I am more optimistic about the applications for AI than most people. I think there are already applications to generative AI and advancement in AI that are going to help improve people's quality of life, specifically applications for AI in medicine. I think there are some really interesting things happening there. In the cybersecurity world, I am optimistic about how people can learn to use AI tools to automate and to get better. We have to do that because the bad guys are using AI all the time. I am optimistic about the amount of people I see that want to join our industry, that want to become cybersecurity professionals, the amount of people that want to become a hacker, a friendly hacker, a hacker for good. I think that while our industry needs all the help it can get, we're really at a good point in time where people are understanding, hey, this is not just like a buzzy, trendy kind of profession. This could really be a life path and a career path for me. And like I said, people teaching their kids about cybersecurity fundamentals, the Girl Scouts teaching cybersecurity skills, people bringing their kids to hacker conferences, that's the kind of thing that really gives me a lot of optimism.

Ann Johnson: Well, thank you so much for taking the time to join me today. I know you're incredibly busy.

Keren Elazari: Thank you, Ann. It was my pleasure to be on the show and I hope to meet with you and to speak with you again soon.

Ann Johnson: Same. Absolutely. Many thanks to our audience for listening. Join us next time on "Afternoon Cyber Tea". So I invited Keren to join me on the podcast because she is this incredible, young, dynamic security researcher based in Israel. She was inspired to get into the industry many decades ago by the movie "Hackers" when she was just very, very young. And she's just an inspiration with this incredible depth of knowledge. And I know it's going to be a great episode for everyone to listen to. Really high energy.