Keren Elazari on the importance of hackers

The development of cyber security is interwoven with the evolution of the hacker community. Keren Elazari, cyber security analyst and senior researcher at the Tel Aviv University Interdisciplinary Cyber Research Center, educated the world in her 2014 TED talk on the importance of cultivating friendly hackers for the protection of the internet. Today, she researches the most pressing cyber security threats, and how to prevent these breaches.

In this episode, Elazari shares her story of becoming a hacker as a young woman in Israel and speaks of the empowerment she gained through becoming an important player in the global community of hackers. She explains how businesses, organizations, and governments now collaborate with helpful hackers by creating bug bounty programs and other initiatives. Elazari explains tips for what companies should be looking for in way of cyber threats.

Business Lab is hosted by Elizabeth Bramson-Boudreau, the CEO and publisher of MIT Technology Review. The show is produced by Katherine Gorman, with editorial help from Emily Townsend and Mindy Blodgett. Music by Merlean, from Epidemic Sound.

Show notes and links:

Tel Aviv Cyberweek: https://cyberweek.tau.ac.il/2019/

Keren’s website: https://www.k3r3n3.com

Keren’s Twitter: https://twitter.com/k3r3n3

Ted Talk: https://www.youtube.com/watch?time_continue=2&v=JpFFb1jEUf0

FULL TRANSCRIPT

From MIT Technology Review, I'm Elizabeth Bramson-Boudreau and this is Business Lab, the show that helps business leaders make sense of new technologies coming out of the lab and into the marketplace. 

For as long as we've had computer systems, there have been those seeking to break through protections, but these hackers can also play a useful role in identifying the gaps in cybersecurity and identifying future threats. 

This is the last episode in our series on cyber security. And today, we're talking about hacking. 

Since the early days of the Internet, there have been friendly cyber experts, including our guest and these hackers have been critical to the health of the immune system of the Internet. Keren Elazari is a cybersecurity analyst and senior researcher at the Tel Aviv University Interdisciplinary Cyber Research Center. 

Elizabeth Bramson-Boudreau: Keren, welcome to Business Lab. 

Keren Elazari: Hi. I'm happy to be here. I'm glad to take this opportunity to talk about what we can learn from hackers and how hackers actually provide a critical role in today's information society. 

Elizabeth: Okay. So that's great. Let's get started because I really want to talk about the concept of the hacker as something to be celebrated. I think a lot of people have come to believe that hackers were threatening and you are coming at it from a very different point of view. Before we get into that and talk about your point of view, can you tell us a little bit about yourself and how you have become such a leader and sort of out front on this topic? 

Keren: Of course, Elizabeth.  I started my path in the cyber world, in the digital realm, if you will, when I was very young. I was around maybe 11 or 12 when we first got access to the internet in Israel, in Tel Aviv, where I grew up. And I begged my parents for a computer of my own that I could connect to the internet. Back in those days, you had to kind of figure it out on your own, how to make the modem work, how to dial up into the correct servers, how to configure your computer. 

And then once you were online, it was really up to you to find your path. And thankfully, I found my path with chat rooms and online groups for people who were passionate about technology as I was. And I was learning English by typing and speaking to these people in chat rooms who had no idea they were talking to a 13-year-old girl from Tel Aviv. 

To them, I was just another hacker, just another online personality behind the nickname. And it was there on these online rooms that I learned to appreciate how curious, how creative, how innovative the people who call themselves hackers can be. And around the year 1995, that's where my life really changed because that's when I saw the film "Hackers" with Angelina Jolie portraying a fierce high school hacker. And when I saw that film, I really connected. I immediately resonated with the story that that film showed. 

And it was a story of this group of high school hackers who are all a little bit of, you know, weirdos or outsiders. But together as a group, they actually prevented an ecological catastrophe. They uncovered corporate corruption. They showed the FBI where the real cyber criminal was hiding. 

And it's this group of kids that looked a lot like I did and listened to the same music that I did and had the same ideology that I had. That's the group of kids that showed me being a hacker can actually mean you are the hero of the story. Thankfully, I was able to take that image of the hacker as hero and the image of that young, powerful woman portrayed by Angelina Jolie and make that into my reality. I decided that would be my role model and that I would like to be a friendly hacker, one that helps organizations and nations understand security problems so that we can create better systems and we can prevent, you know, catastrophic outcomes from happening as a result of cyber attacks. 

Throughout my career, ever since those, you know, the mid-90's, that's the point of view I've always held. Now I've worked with different types of organizations, with government agencies. I served in the Israeli military. I worked with leading Israeli technology companies. And in all of these places, I brought to bear that hacker point of view and particularly that friendly hacker's point of view -- of how can we actually fix this problem? How can we create something better? So that's the perspective that I've had over the past, I guess, 25 years, almost in my career in the cybersecurity world. 

Elizabeth: I mean, I suppose intuitively I understand why hackers are kind of outsiders and, you know, quote unquote, "weirdos". But what is it about that community that makes it so, often, so ideologically driven? 

Keren: It's my point of view that hackers tend to be outsiders. Yes. But we also tend to be extremely passionate about technology. And this could sometimes lead to frustrating results when a group of hackers identifies a problem and we try to get it fixed, but we don't get the attention that we need, or we are immediately branded as criminals or as vandals. And that a lot of times leads to that result where people see us as having, you know, maybe a potentially malicious point of view. A lot of the hackers I know have, you know, maybe not the same ideology, but all share very passionate ideals about the role of technology in our life, the role of access to information about this idea that people should have access to knowledge and information, that technology should not only be owned by big companies and not only be something that people with a lot of money or privilege have access to, but rather that the internet and that technology is something that should be democratized. And I think this is maybe an ideology that you will find with a lot of hackers. 

“Where does it come from?” is a good question. And it's not like every hacker will share the same point of view or the same ideology. But back in the 80's, there was this magical document that made the rounds on the BBS, the bulletin board systems, and later on, on early web magazines and this document was called ‘The Hacker Manifesto’. And in ‘The Hacker Manifesto’, the person who wrote it talks about the people who are curious about technology as being hackers, people who want to explore the digital world for everything it's got without any barriers, and that those are the people who would call themselves hackers. So that's where that ideology came from. Of course, in the 90's, there were also quite a lot of criminal elements and organized crime in particular, which adopted the new potential that the internet and the technology world can offer them. And these people should be called cybercriminals. They might use hacking skills or hacking capabilities, but they don't necessarily share those same ideologies that the hackers that I grew up with, and that I represent, have. 

Elizabeth: Let’s talk a little more about this idea of the friendly hacker. The listeners of Business Lab are running companies and are very concerned about keeping this company secure from cyber threats. It's your point of view and I'd like to hear more about that, that hackers can help find tech problems and can kind of act as an immune system of sorts. So, what would you say to people that are running their companies? 

How should they be thinking about the hacker worlds and what should they be thinking about when they are concerned about cybersecurity and these sorts of decisions that they should make about maintaining or fostering greater security in those companies? 

Keren: Absolutely. So, it is my point of view that hackers can be the immune system for our new connected reality. And for those listeners of the podcast that want to learn more about that, I recommend they check out my TED 2014 talk, which is called "Hackers are the Immune System of the Internet". 

Since 2014, I've shared this message that hackers can be helpful allies with a variety of different organizations and people. And surprisingly, in the past couple of years, more and more businesses are finding that value of working with the friendly hacker ecosystem. And one great way that this is actually happening is the phenomenon known as “bug bounty programs.” So these bug bounty programs—also sometimes referred to as vulnerability disclosure programs or vulnerability reward programs—are actually frameworks run by very big companies, companies like Google, Facebook, Yahoo, Microsoft, Samsung and even companies that are not strictly technology companies, companies like United Airlines, for example, or Western Union or even Starbucks, the coffee chain. All of these companies actually have a bug bounty program in place. 

And what this means is that they are actively inviting friendly hackers to look at their product, whether it's their app, their website. It might be a car. In the case of Tesla, that has a long running relationship with hackers. And they're basically telling hackers, “Look at our product.”

If you find vulnerabilities, if you can discover security flaws and if you can tell us about those problems, “we will reward you for your efforts,” and those rewards, those bounties, they might be in the form of money paid in prepaid credit cards or debit cards, for example, but they might also be a non-monetary form of remuneration that actually holds a lot of symbolic value in the hacker ecosystem. So, for example, this could be swag, t-shirts or hats or unique experiences. 

For example, I remember certain year where Microsoft took out one of the biggest clubs in Las Vegas and booked one of the biggest D.J.s and access to that party. And that club with that superstar deejay was only afforded to those researchers, those friendly hackers who identified vulnerabilities and disclosed them to Microsoft's program. In another case… 

Elizabeth: So it became as it became a status thing, a sort of badge of honor to be invited? 

Keren: There is definitely a status element. And in fact, one of the reasons that bug bounty programs are so successful is because they have actually created social networks around them with hackers that are competing on leader boards. You could say that this has been gamified and hackers compete to be on the first place on the top five or top ten lists of hackers that have found vulnerabilities on the particular website or program. In certain cases there are even more special rewards that are only given to the top hackers on a particular program. For example, Tesla has a challenge coin and this is almost like a medal and they are only 20 of these Tesla challenge coins in the world and they go out only to those top hackers that help Tesla. In fact, last summer I saw Elon Musk in person attend the largest convention of hackers in the world, an event called DEF CON, which takes place in Las Vegas each year. And Elon Musk came there with his team and with his heads of engineering for both Tesla and SpaceX in order to talk to those talented hackers that were able to find vulnerabilities in Tesla's product. Of course, maybe it's not a surprise that an innovative company like Tesla or that Silicon Valley giants like Facebook and Microsoft work with hackers. But in the past couple of years, organizations like the Pentagon, the United States Department of Defense also launched their Hack the Pentagon program. And that bug bounty program has really showed great initiative, great results. From the moment it was first launched until this year, there's been so many vulnerabilities on Pentagon websites that were discovered via that program. So that means that the criminals, the spies, the bad guys that find the vulnerability, they're not going to tell you about what they discovered. And by creating these programs, we're effectively allowing that immune system. We are effectively allowing those friendly hackers a pathway, a legitimate legal pathway to report their findings and help us get safer. 

And I'm very passionate and hopeful about the further adoption of these bug bounty programs. And I think that's something every business leader needs to ask themselves, do we have an opportunity like that for friendly hackers to report their findings to us? 

Elizabeth: I have a couple questions. Are there particular kinds of bugs that those sort of bounty programs are best suited to seek? And secondly, how do business leaders who aren't running Tesla or Facebook are monumentally large, well-resourced companies? How did they gain access to this sort of program? 

Keren: So that those are great questions. I'm very happy to talk about bug bounties for as long as you like, because this has actually been the heart of the study, the research work that I've been doing at Tel Aviv University's Cyber Research Center over the past couple of years. And one of the things we discovered is that there is a lot of value to these programs when the product that is being tested or the platform that is being looked at is already public facing. So if you have a website, for example, if you are United Airlines and people are buying airline tickets on your website, you already have a very public-facing product which lives on the Web. And when you have a product like that, it's really helpful to have all those hackers identify vulnerabilities. In the case of United Airlines, by the way, they don't pay out money. They pay out air miles. And people have earned millions of miles by finding vulnerabilities on the United Airlines website. In another case, when it comes to apps or web systems or even, as I mentioned earlier, with cars, with Tesla in-car systems, when there is a consumer facing product that has a great deal of technology in it or when that product is on the web or it's a mobile app, that is a good time to engage the help of those friendly hackers via the format of bug bounty programs. Now, you asked how can small organizations enjoy that benefit? There is a variety of ways. One that's important to understand that today there are existing platforms that actually mediate that relationship with those hackers. I mentioned that it's almost like social networks have been built around it. The two leading platforms are called HackerOne and Bugcrowd. 

There are several other companies, but these are the two largest platforms and they actually mediate a lot of the bug bounty programs out there and they have more than 100,000 friendly hackers that register and use those platforms. So that's access to a lot of hackers. So that would be the number one place I would recommend looking at. Secondly, it's important to understand that even a small organization can have some form of engagement or outlet out there for working with friendly hackers. 

For one, there is actually an international standard for coordinated vulnerability disclosure, and that is the international standard for CVD coordinated vulnerability disclosure. And I can look up the number of that standard so that I can share that with your listeners. 

Now, other than that, there is another project which is called security.txt. And what the security.txt project basically says, it says that if you have a website or a consumer-facing technology, what you want to do is make sure that somewhere on your website there is a file that that is called security.txt and actually has the information of who people should contact if they find a security vulnerability on your site. You would be amazed at how many times the simple thing of just having the right contact information out there makes it possible for a friendly hacker to reach out and say, "Hey, I found a problem on your site, I found some bug in your code. You may want to know about it." 

Elizabeth: Right. That makes a lot of sense. So I want to switch a little bit to looking at cybersecurity threats that aren't just about computers or networks. And I think that, you know, a lot of our listeners are aware that the threat is only growing with iot and the proliferation of devices that are connected. Talk about that and what the hacker community is doing and could be doing to provide greater support and help business leaders. 

Keren: Absolutely. Before I do that, I just want to mention that the international standard I spoke about earlier is ISO 29147. So that's international standard number 29 147, which is actually an international standard for coordinated vulnerabilities disclosure that any organization can learn from and adapt and apply for their business. So I just wanted to give you the information about that. Now, with regards to a question, I think you really hit the nail on the head there. It's really no longer about information systems or, you know, our phones or our computers. 

There is really such a great deal of new connected technologies that we trust with our lives every day, whether it's connected home locks and surveillance systems like web cameras or, you know, the things that we rely to get our car in time, the navigation tools we rely on, the things that airplanes rely on, medical technologies. And this is a great this is a reason, actually, why we are now talking in our industry about cybersecurity and not about information security, because it's no longer about protecting secrets or our passwords or credit card numbers. It's really about protecting all of these cyber physical connected systems. Now, when it comes to those iot devices, the internet of things devices. This is where I think a lot of people, whether they are business leaders or, you know, private individuals, we really don't realize that we have to be the chief information officer for our own home, because in every family's home nowadays, there is actually more than a dozen devices, usually, maybe even more. And you have entertainment consoles, you've got DVD, you've got web cameras, you've got gadgets and tablets and personal devices, of course, phones and computers. And for all of these devices, there really isn't any chief information security officer or chief information officer that's going to maintain them for us. So as individuals, as consumers, it's really the responsibility to make sure that those devices have updated operating system environments that you don't have default username and passwords. That's things that we have to do and nobody is doing that for us. 

And that's where a lot of the new types of threats are creeping in, because a lot of people will tell you,"Hey, well, I don't care if somebody hacks into my security camera that I have in my backyard because I don't have anything to hide." But what people don't realize is that criminals are learning how to use all of these digital assets as pawns in their own digital armies. And in the past few years, we've seen massive attacks where criminals have actually taken over hundreds and thousands of these types of connected devices, whether it's web cams or digital video recorders, sometimes even office copying machines like a Xerox machine. And all of these devices can be used by criminals to launch further cyberattacks. So, when it comes to these devices, it's really up to each and every one of us to take responsibility, too. First of all, protect that device, whether it's by updating the operating system, replacing the default password. By the way, California state is a new law in place, which will be which will be applied in January 2020. That if you're actually selling or marketing any internet of thing Device in the State of California, you have to make sure that it's not going to have a default username and password combination. So you can't have devices that have the password of, you know, one, two, three, four or something like that as we've seen in the past couple of years. So that's something that's changing in the state of California. Hopefully more states will follow suit. But it brings it back to the personal responsibility we have as consumers. And we also have a responsibility and potentially a source of leverage as business owners. When we buy technology, when we acquire technology from a provider, from a vendor that's selling it to us, we can actually say, Hey, what are your security protocols?  What is your method of updating operating system or firmware for this device? How can you verify that it's not just going to have that simple one, two, three, four type passwords? How can I change my passwords? And I believe that as more people demand better from the vendors who create these technologies and sells these products, we will actually have a more secure ecosystem. 

Elizabeth: So these are really, I guess, you right call bottom up approaches. So the onus is on the person buying the device, that connected device or on the company's security team. You did mention the state of California, but in general, is this something that we ought to assume isn't going to be helped by government support or government regulation? 

Keren: Actually, governments are doing a lot more than they used to. Particularly in the U.S., we're going to see more regulatory approaches that will be a little bit more aggressive in their requirements from businesses and business leaders to be more knowledgeable about cybersecurity, to have a member of the board of directors for an organization that has cybersecurity knowledge and backgrounds. We have already seen cases where, for example, in the case brought to, I think the FTC against Uber. As you may have heard, Uber had several data breaches in the past couple of years. And as that case has been brought up to the Federal Trade Commission, the FTC has actually looked really closely at the level of security controls applied by Uber. And they are actually employing themselves with people who are knowledgeable, who are working for these consumer regulators that are going to ask really granular, technical level questions, and they're going to expect companies to have reasonable security controls. Now, what does reasonable security control means? 

It means things that are best practices, things that are considered to be something that any other company of that size or within that within that sort of budget would be doing. And one type of reasonable control that regulators are starting to look for is actually does a company have any means of communications with those friendly hackers that are out there and trying to report vulnerabilities? So does the company have a bug bounty program? Do they have a clear security or vulnerability disclosure policy? Are they making it known to people that there is a way to report vulnerabilities to them? And this is something that we're actually seeing more and more regulators starting to talk about. I'm very lucky in this sense because I happen to have a sister who is a lawyer and is now specializing in cybersecurity policy in the United States. And together with her, I've learned so much about the way American regulators are actually starting to push for a lot more when it comes to security controls on the part of American businesses. 

Elizabeth: Well, that's great. So let's talk a bit more about other kinds of threats. So how about ransomware? We've talked on this podcast about ransomware. Do you see that as a real and growing threat? 

Keren: So it's important to understand about ransomware that it was super trendy in 2017 and 2018. But criminals are always evolving and they're not going to do the same thing. So what was, you know, very valuable and profitable for criminals to launch in the past couple of years is no longer that profitable because more and more organizations have wised up and they're not going to pay the ransom. They're going to revert to a backup or they're going to find an alternative way to bypass that ransomware encryption. What has happened is that actually criminals have figured out a much more lucrative approach. And this is something called crypto jacking, also known sometimes as crypto mining. And what crypto jacking does is basically once the criminal has the ability to launch any type of malicious code on your system, it might be your personal computer, it might be your Web servers or your cloud servers. What they're going to do is that instead of encrypting the data and requesting a ransom, they're actually going to run a silent program that's going to mine for crypto currencies. A very popular scam. Your computer that is using you're exactly using your computer, using your computing power. So for some com companies, when this happens on their cloud servers, when this happens on their AWS infrastructure, for example, this could actually rack up dozens of thousands of dollars in computing power costs. And the criminals walk away with millions of dollars in cryptocurrencies. And the very popular cryptocurrency that's been mined in this manner is called Monero. And there's actually been so many campaigns that are creating very evasive malware that's going to mine for that Monero. In fact, even the wi-fi networks at Starbucks branches across Argentina had this Monero mining malware on them. So when people were logging onto the Wi-Fi, they were opening up their laptop to log onto the Starbucks Wi-Fi. 

Actually, that mining software was running on their computers for five or 10 seconds at a time, creating a lot of revenue in the form of crypto currency for the criminals. And this is why I say, Elizabeth, it's really important to learn from what the hackers are doing. It's really important to look at what criminals are doing because they are constantly evolving. And this is where I spend a lot of my time studying and looking at these new techniques, these new trends, the way that criminals are upping their game because they are coming up with really in the very new business models to take our digital assets and turn them into money very fast. And they're doing something new all the time. 

Elizabeth: So how would you know if your net what are you looking for to determine whether your network is or is not vulnerable to this sort of crypto jacking or crypto mining? I mean, that sounds that terrible. 

Keren: Yeah. Yeah. That's that. That is terrible. That's a great question. So one way you will notice that you have crypto jacking malware on your systems is, of course, if you have a very high Amazon Web Services bill at the end of the month, which is much higher than what you expected, or if you're looking at your energy consumption and you see that all of a sudden your servers are running at much higher CPU speeds, your processors are actually working a lot harder. You may also notice your machine is heating up. It's running gets hotter because a CPU is working harder. And you can notice this even as an individual, if you're, you know, your connection seems to be extremely slow. You're opening your web browser for specific sites and it takes them a really long time to load up. It might mean that you might have this type of cryptomining or cryptojacking malware on your system. It's important to note that most of the time these types of attacks now are targeted at those cloud instances. So they're not looking after people's individual computers anymore just because they don't really necessarily have the computing power that they want. Gamers, though, gamers who have powerful computers, usually with GPU as with powerful graphical processing units, might be more susceptible to these types of crypto mining malware. 

Elizabeth: Isn't AWS and other cloud providers, aren't they going to be searching for this rather than simply passing a high bill on to their customers? I would think they would be doing some you know, they could they could certainly have an AI take a look at any spikes or unusual behaviors in usage, I would think. 

Keren: So it's very it's very...I agree with you that it would be intuitive for us to expect the cloud platform providers to do more and look out for these threats. But the reality is that in many cases, the way the criminals get on people's systems is because they have an easily unsecured, easily accessible, badly configured cloud instance. So a lot of times the cloud company will say it's your problem because you left the door wide open. You didn't configure your cloud servers to be secure. You didn't put up a password or you use the default password or you used some very well-known. You had some very well-known vulnerabilities on your cloud servers. So it's really not their problem. It's yours. And this, I think, brings us back home to a major problem that a lot of people now have with consuming technology. We really don't understand how much responsibility still lies with the consumers. And there are a lot of expectations for the technology provider, whether it's a cloud service or an internet of things device or an operating system. We have a lot of expectations that the company selling us a product would actually be doing a lot more when it comes to security. 

But the reality is that their business model in many cases is based on the customer taking more of that responsibility on their shoulders. And we don't necessarily realize this. Now, I don't want to just, you know, name and shame companies. There are definitely cloud providers out there that are doing more. I know Amazon and AWS has a big team dedicated to looking security threats on their platform at the moment. They just happen to be the one that's most popular with criminals because it's the most powerful cloud platform. So we really have to continue all the time. And this cat and mouse game and the minute that the Amazon people will find a way to stop those crypto jacking malware from campaigns, from spreading a new type of attack will arise. 

Elizabeth: So that's a great place for us to turn to my next and final question, which is what comes next? And I'm not sure who's the cat and who's the mouse? But where's the cat going next? And where do cybersecurity concerned leaders need to be thinking about the future of the threat? 

Keren: It's really not clear who is the cat and who is the mouse here. You're absolutely right. But when it comes to that, what I'm thinking about when I'm thinking about what's next, I'm thinking about people and thinking about human talent. I'm thinking about the people that are going to be those security professionals, those friendly hackers, those business leaders of the future. And how can we get those people to be as knowledgeable, as innovative, as creative as some of the bad people out there? Because I guess as long as people write code, we will have vulnerabilities, as long as people use technology. There will be malicious individuals and organizations that will wish to use that technology for ill gains or for manipulation. And we are going to need more people than ever before. So it's my point of view that the friendly hacker community can help. But also it's really important to invest in cybersecurity, education and awareness, which is why I run. Besides Tel Aviv, it's Israel's largest hacker community and security research community event. It's why a Tel Aviv University we host something called Tel Aviv Cyber Week, which provides knowledge and information to more than 8,000 people each summer. It's why whenever I travel, whenever I have any free time, I spend my time going to hacker events and whether it's a community meetup or a technology conference, because we really need to pay attention to the type of research and knowledge that is now being generated by friendly hackers so that we can actually get more people out there armed with information and knowledge. They need to develop a better and safer future for all of us. One area that a lot of people are thinking about is the area of AI. 

And that's something that's, you know, really crucial to understand that we might actually be in an arms race when it comes to AI technologies and specifically AI for cybersecurity, both on the offensive and defensive side. But whereas the arms race actually becomes a reality, is in the race to recruit the talent, the people that can actually create that next generation a system. And that's an area where I think currently the United States has an advantage. And if you would like to keep that advantage, you have to continue investing in that sort of know-how and that sort of talent and building up those outsider hackers that can actually be the future defenders of tomorrow. 

Elizabeth: So, Keren, where can people get more information if they want to learn more about some of the things you've been talking about today? 

Keren: So I am very easy to find online. My name is Keren Elazari. But in the hacker world, I'm known as Keren E. All of the E's are spelled with three. So you can either go to my website, K3R3N3.com. You can find me on LinkedIn. You can watch my TED talk on Ted.com: "Hackers are the Immune System of the Internet". There is a variety of content that I put out on YouTube. And you are very welcome to check out Tel Aviv Cyber Week. And BSides Tel Aviv, BSidestlv.com is the site you want to visit, if you want to come and experience the hacker community that we have here in beautiful sunny Tel Aviv. 

Elizabeth: Wonderful. Well, thank you so much for joining us here at Business Lab.  

Keren: Thank you, Elizabeth. 

Elizabeth: That's it for this episode of Business Lab.. I'm your host, Elizabeth Bramson-Boudreau. I'm the CEO and publisher of MIT Technology Review. We were founded in 1899 at the Massachusetts Institute of Technology. And you can find us in print on the web, at dozens of live events each year, and now in audio form. For more information about us and the show, please check out our website at technologyreview.com. This show is available wherever you get your podcasts. 

If you enjoyed this episode, we hope you'll take a moment to rate and review us at Apple Podcasts. Business Lab is a production of MIT Technology Review. 

Our senior editor is Mindy Blodgett. This episode was produced by Collective Next with editorial help from Emily Townsend. Special thanks to our guest, Keren Elazari. 

Thanks for listening. We'll be back soon with our next episode.