This podcast episode features an enlightening conversation with Alissa Knight, a notable figure in the cybersecurity landscape, who shares her unique journey into the realm of hacking and cybersecurity. From her early days of curiosity and mischief, starting at the tender age of thirteen, to her transformative experiences following a pivotal arrest, Alissa reflects on the lessons learned and the paths forged in the aftermath. The discussion delves into the evolution of hacking practices and the current landscape of API security, which Alissa identifies as a critical area of concern due to its expanding attack surface in contemporary technology. As we navigate through the complexities of artificial intelligence’s role in cybersecurity, Alissa emphasizes the necessity of integrating security practices into the development process. This episode serves not only to illuminate Alissa’s personal narrative but also to provide valuable insights for aspiring cybersecurity professionals and organizations alike.
In this episode of the Security by Default podcast, host Joe Carson engages with cybersecurity expert Alissa Knight, who shares her unique journey into the world of hacking and cybersecurity. They discuss the evolution of hacking, the challenges of API security, and the transformative impact of AI on the industry. Alissa emphasizes the importance of continuous learning and adapting to new technologies, while also reflecting on her career shifts and the significance of storytelling in cybersecurity marketing. The conversation highlights the need for organizations to invest in their employees’ education and the future of cybersecurity innovation.
Takeaways
- Alissa started hacking at the age of 13, driven by curiosity.
- The early days of hacking were like the wild west, with fewer resources.
- A significant turning point in Alissa’s life was her arrest at 17.
- Cybersecurity offers lucrative career opportunities for skilled individuals.
- API security is a growing concern as more services rely on APIs.
- AI is reshaping the cybersecurity landscape, creating new challenges and opportunities.
- Continuous learning is essential in the fast-evolving field of cybersecurity.
- Organizations must invest in training their developers in secure coding practices.
- Storytelling can be a powerful tool in cybersecurity marketing.
- The future of cybersecurity will heavily involve AI and automation.
Sound bites
“It was the wild, wild west.”
“I was arrested on my school campus.”
“This industry pays very well.”
Chapters
- 00:00 Introduction to the Podcast and Guest
- 00:57 Alissa Knight’s Unique Origin Story
- 05:30 The Evolution of Hacking and Cybersecurity
- 10:54 Turning Points and Career Shifts
- 16:10 The Impact of DDoS Attacks on Career Paths
- 20:57 The Importance of API Security
- 24:06 Hacking APIs and Security Vulnerabilities
- 27:52 The Evolution of AI in Coding
- 31:30 From Cybersecurity to Hollywood
- 36:32 Introducing ARIES: AI for Cybersecurity
- 39:03 The Importance of Continuous Learning in Cybersecurity
Resources
https://www.linkedin.com/in/alissaknight/
https://www.knightgroup.co/
https://microreels.com/
https://www.youtube.com/@AlissaKnightArchives
The Security By Default podcast presents an engaging dialogue between Joe Carson and Alissa Knight, a seasoned cybersecurity expert with a rich and unique background in hacking and security. Alissa recounts her journey into the cyber realm, beginning at the tender age of thirteen when her curiosity led her to explore the inner workings of technology. Her early experiences with bulletin board systems (BBS) and the hacking community shaped her understanding of cybersecurity, illustrating the evolution from the rudimentary practices of the past to the sophisticated techniques employed today. Alissa reflects on her misadventures, including a pivotal incident that resulted in her arrest at seventeen, which ultimately redirected her path towards a career in cybersecurity. This incident, rather than being a mere setback, served as a catalyst for her transformation, providing her with insights into the resilience required in the face of adversity. Throughout the discussion, Alissa emphasizes the importance of continuous learning and adaptation in the ever-evolving field of cybersecurity. She highlights the shift in focus towards API security and the challenges posed by artificial intelligence in code development. The conversation delves into the significance of secure coding practices and the necessity for organizations to invest in the education of their developers. Alissa’s insights illuminate the critical nature of understanding the vulnerabilities that arise in modern applications and the imperative for cybersecurity professionals to stay abreast of these developments. The episode encapsulates a narrative of growth, resilience, and the pursuit of knowledge, encouraging listeners to embrace their journeys and strive for continuous improvement in the cybersecurity domain.
Transcript
Hello, everyone. Welcome back to another episode of the Security By Default podcast. I’m the host of the show, Joe Carson.
It’s a pleasure to be here and I’m always excited. This is my favorite part of the week.
I always get to enjoy spending some time with awesome people, great minds, leaders, legends in the cybersecurity industry, and we’re always living in a world of chaos. And, you know, this episode and podcast is all about bringing clarity, education, knowledge to you and whatever your career path you decide to do.
If you’re looking to learn more, you’re looking to get into the industry, you’re looking to evolve your knowledge in the industry more. Uh, this is really to help you, give you the tools, knowledge, and connect you with awesome people in the industry.
Um, so I’m really excited to bring back. Well, actually the first time we’ve actually spoken this podcast, so. But somebody have spoken to many, many times in the past.
Alissa Knight:For us and meeting again.
Joseph:Absolutely. So, Alissa Knight, welcome to the podcast. Since this is your first time not back, but since the first one.
Alissa Knight:No, that’s all right.
Joseph:We’re connecting again for a while.
Alissa Knight:It’s probably, you know, for your audience, other, you know, another moment to. To see me speak interview.
Joseph:Absolutely. And for me, it’s like I always enjoy, enjoy getting to chat with you. So, so much knowledge and so much history. So if you give.
Give the audience a bit of a background about how. What’s your origin story, how you get into the industry, you know, did you select it? Did it choose you?
Alissa Knight:Yeah.
Joseph:What was your path? Was it a normal path that many of us take, or was it something unique and different?
Alissa Knight:You know, I love talking about my origin story because it is so unique, you know, So I started hacking when I was 13 years old. I noticed at a very, very young, liked to take things apart.
And to me, hacking really is nothing more than just, you know, taking something apart, figuring out how it works, and then doing something that the developers didn’t expect for you to do. I built my first computer when I was 14. Got into the BBS scene. So this, you have to remember, like, so I’m old. Okay, let’s just disclaimer.
I’m a lot older than I look.
Joseph:We’re a very similar era.
Alissa Knight:Well, I’m like, my hair would be as great as yours if it wasn’t for this, this purple hair color. So I, I, you know, I got into it at a young age. I.
So at the very beginning, right before Google, before even cybersecurity degrees, you know, people communicated over things like Prodigy. And in the BBS scene there was like Fidonet, you know, there was, there were these messaging, this messaging system that BBS’s would use.
So BBS’s would basically call out to other boards and exchange messages and that’s how you messaged people. Right. So I actually ran what was called a multi node BBS in Seattle and it was blazing fast.
2400 Baud modems for those of you old enough to remember the sound of a modem connecting. Oh yeah, yelling at your mom or your sister because they picked up the phone while you were downloading all day for.
Joseph:Oh, that was, that was my nightmare, my nightmare. Because we only had one phone line. Oh yeah, yeah, so the old Limeware Morpheus.
Alissa Knight:Yeah, exactly, Limewire, you know, and, and then hoping when you reconnect the download would resume because you spent all day downloading a 5 meg file anyway. So that, that really was how I got into it was the BBS scene.
And then I, I was mischievous at that age and you know, exploring this whole new world online world. Got into carding, which was basically using credit card generators to, to create what were called dial up or shell accounts.
And so I joined this, this IRC channel for hackers and met other hackers in this channel.
And at the time when you wanted to become a hacker or learn how to hack, you didn’t just reach out to people on like LinkedIn and say teach me how to hack.
It was just kind of became part of the community and you hung out and you got on these big Cardan conferences and you downloaded exploits and learned how those exploits worked. And, and that’s really how I got into it was downloading.c exploits.
Because back then, Joseph, you had to actually know how to compile code in order to be a hacker and use exploits or write them yourselves. You didn’t have metasploit, you didn’t have a lot of these point and click attack platforms that you have today.
That makes exploitation so much easier. And that’s not even talking about AI yet, but you know, it’s, it was, it was difficult.
Like you, you, you could spend all day trading exploits and you traded them like baseball cards. And you, once you got your hands on an exploit, would it compile, would it work?
Joseph:Did you have the right, right version,.
Alissa Knight:Right hardware or, or if you didn’t know what you were doing, compiling it and running it, not realizing that it, it contained a backdoor in it, you know, and, and so it was, it was a very different time. It was the Wild Wild west. And you were figuring it out. You were hacking networks through Apache buffer overflows or Woo, FTPD buffer overflows.
It was a very different time. But that’s, that’s kind of my, my origin story.
I got my first computer, it was a 486SX25, running a BBS, connecting to other BBSs, underground BBSs and then getting into the IRC scene. And I was actually part. I don’t know if you remember this, Joseph. There was something called the art scene.
It was like antsy and ASCII art, like ice and.
Joseph:Oh yes, yes. Actually I have a whole collection somewhere. It was really funny. Not long ago I was going through my old collection. Like I literally.
I still had it on floppy disks and I literally. Yeah, I found all my old ASCII art.
Alissa Knight:I ran an ANSI art group.
And so, you know, it was like, I was big into the, the, the art scene because almost kind of like this to me, sort of like a sister culture within the hacking community.
Like you had a lot of people that were in the anti ASCII art scene who were hackers or you know, so they, they were very, I would say, you know, cousins, the two communities. And so a lot of the artists that I hung out with, anti ASCII artists. And you’re talking about really talented people.
I mean, for those of you who don’t know what this is, it’s basically colored blocks. And that was your imagery when you connected to a BBS.
It was like a 6,000 line picture of like a woman in a bikini and it was made with nothing but colored blocks. And that was the scene we’re talking about. But you know, and then you have like the demo scene and the music scene, but a lot of those were just.
Were hackers, you know, and that you were hanging out with. But yeah, that was just really curious.
Joseph:About how to do things differently and sometimes just learn how things work. And a lot of it was also repairing.
Alissa Knight:Right.
Joseph:Sometimes if something broke, there was not an easy way to go and just, you know, replace it easily. So a lot of times you were actually repairing it yourself.
I actually watched recently during one of the conferences a guy presented purely in ASCII art. It’s actually his slides and his old demo. Everything was.
Alissa Knight:You’re kidding. That’s amazing. I would have like split up and just like started clapping. I was amazed.
I was always constantly amazed by, by the sheer talent of a lot of those artists. Just, I mean, you are, you are creating this amazing picture with just colored Blocks. It was crazy. But so I made some mistakes as a kid.
I, I hacked into a, we’ll call it a restaurant franchise and didn’t get caught, so felt I was invincible. Like most kids were, if you’re not caught, you’re invincible, right? And then at 17 years old, made a huge mistake and hacked a government network.
And they were waiting for me at school and to arrest me, and I was arrested on my school campus. So that really was the inflection point in my life that I really took a step back and realized I, this is not the path that I want to be on. Right.
I, I, I looked terrible in orange, didn’t want to go to prison, and so realized when the charges were dropped that, and then recruited by the intelligence community in cyber warfare that, that there was a different path for my life that I knew a different journey that I knew I needed to be on.
I was supposed to graduate in:They, they didn’t really fully understand hacking. As a matter of fact, the charges were written up wrong. When the arresting agents arrested me, they, they, they wrote it up as industrial espionage.
And so the charges were wrong. They interrogated me as a minor in a closed room, locked room.
And so there were so many things wrong with the arrest that the district attorney was like, I’m not touching this. So the charges were dropped.
And you know, it’s funny because just recently started thinking back at that time and was thinking, you know, my whole life since then, I was thinking the agent didn’t know what he was doing. But now I’m starting to wonder, like, did he do this on purpose to give me that second chance?
Like, what if my entire time I’ve been looking at this wrong, thinking he made this huge mistake, you know, Ha, ha ha, you idiot. What if he did that on purpose.
Joseph:And intensely, clearly knew what he was seeing you and realizing that actually, here’s the way to give you, give you an opportunity in life.
Alissa Knight:Yeah, exactly.
And I feel like, you know, we don’t give enough credit to law enforcement, you know, and actually worked with law enforcement, obviously, for a long time, especially in the car hack, the law enforcement vehicle car hack. And I have an enormous amount of Respect for them.
And I feel like a lot of us don’t give law enforcement that respect they deserve of, hey, you know, maybe this guy knew what he was doing. Maybe, maybe he knew what he was doing and, you know, he was just trying to give me that second chance.
Joseph:Absolutely.
I think when I, when I think about, you know, you’re sharing your story, I’m thinking about how lucky many of us were because I think for me, you, I think the laws came. A lot of the laws came from 95 through 97.
Alissa Knight:Yeah, they were. It was, it was, it was when the frontier was being built. Right. It was when the, it was when it was all being built.
It was, it, like I said, it was a very different time.
Joseph:Yeah. And my, my mischief of my own was, was before that, fortunately enough. And I think for me, so from my.
As it was around 89 through like 94, and then as I went to university, I got other interests and then kind of went off the hacking scene for a while. And it wasn’t until later, I think it was around 99, when I came back in mostly from like assisted min side of things.
So it was, I was fortunate enough to have that mischief before the laws came into place. And then, you know, that kind of, kind of made you think a lot about how things can impact.
So after, after all of that, I mean, and you, you’re fortunate. I think when we look back, a lot of people are fortunate enough to be able to get that shock early enough to kind of re.
Kind of really set you on a different path and sometimes even a path that can change the world in a positive way in a great way.
What was kind of, what was your change that you had, you know, after the charges were dropped, what, what did, what decisions did you make and kind of, you know, and path did you take from then.
Alissa Knight:So after the arrest, you know, was. I was living in Silicon Valley. This happened in Cupertino, I believe it or not.
I was working on the sales floor of Comp usa and for those of you who remember Comp usa, remember Circuit City, I was working in computer stores because that, that was the, the obvious thing for me, right. At 17 years old, the. I remember just being constantly berated by the leadership team that, like, you’re not selling enough extended service plans.
And I didn’t believe in them. I didn’t believe in extended warranties on a computer.
By the time, even at that time in the late 90s when you wanted to upgrade your computer or anything, you were upgrading just as, you know, before the Extended warranty. They wanted me to sell five year extended warranties on computers.
And so, you know, it, it was a. I took a look at my life and realized that this is not the life that I wanted for myself. Ended up. That’s, that’s when I decided I didn’t want anything to do with retail. I didn’t want anything to do with dealing with customers.
And I got my first job in, in a white collar job in, in, in an office and got hired as a cybersecurity engineer. And it was great because you have to remember at the time saying that you were a hacker was very taboo.
It’s not like what it is now where you’re like, yeah, you can add.
Joseph:Some context today and people can get it. But then it was kind of like, ooh, yeah, exactly.
Alissa Knight:You didn’t talk about that in an interview. You were like, you were, thank you for coming. It was nice meeting you. You know, it was very taboo.
And so whereas now it’s kind of like bragging rights, you know, and, and you know, you’re like, yeah, I used to be a hacker. I learned the error of my ways. And no, but back then you didn’t talk about that. It was not something you talked about.
And so I remember my first job, it was SBC Datacom. And I remember. I’ll talk about economics here in cybersecurity for a moment if that’s okay.
So, especially for those who are looking to get into cybersecurity in your audience or into penetration testing. So my first job, I was making 90,000 a year. And you have, remember, like, I’m 17 years old. Like 17, 18 years old.
My father was the head of marketing for Sun Microsystems, for those of you who remember that company. And, you know, it took him an entire career to, to make six figures. And so right out the gate, a kid expelled from high school, High school dropout.
I’m making 90,000 a year. And I sat back and I realized, oh my God, like, this industry pays very well, you know. And so I’m like, yeah, this is, this is.
I’m getting paid to break into networks and I don’t have to worry about the knock at the door. This was. I had found my place. I had, I’d found, I’d finally figured out who I was.
It was, was an inflection point for me in realizing that my career has just begun and just started.
And especially working for a company like SBC Datacom now at AND T. And I’m heading the, the penetration testing group at the Time we called it the Tiger Team. Now you know, you call it Red team, whatever teaming and. Yeah, exactly. At the time a lot the en vogue name was Tiger Teams.
And so I ran the Tiger team at sbc. And so it was cool because you know they, they’re like wow, you know we have Loki. This is my hacker alias Loki.
I don’t talk about that much but you know it’s was at the time it was like wow, you know, this is great. And so that kind of started it for me in my career.
Joseph:That’s fantastic. I think it’s really, it’s, it’s amazing how certain events will completely transform your, your, your trajectory and your path.
Because even you know, I always remember back to mine which was I was a victim of one of the company I worked for at the time is Foreign Exchange Money Markets. And I was responsible for the network operations center which is what we call today pretty much a SOC.
And we were the victim of a massive DDoS attack. And it was actually we were a secondary victim. We would just have to be on the same ISP that Steve Gibson’s company GRC.com was on.
And at that time it was like some 13 year old kid was targeting his company with a large botnet and we were secondary victim. And I worked with Steve Gibson on doing the indicators of compromise, sharing the actually IP and filtering and trying to mitigate it.
And for me that was such fascinating that similar to you I find my calling is like I want to. I completely switched my career from being just a sysadmin to really focusing on the security side of things.
Alissa Knight:So was the DDO, it was the DDoS attack. You know, it’s, it’s. And, and here’s the thing about DDoS and botnets and stuff like that.
It always really frustrated me when people that were launching dos attacks or DDoS attacks were being referred to as hackers because to me that was never hacking.
Joseph:Like I hated it, it was disruption.
Alissa Knight:It was, yeah, it’s like you don’t. All you need is significant amount of pipe to launch a DDoS attack.
And especially when in the early days when you’re talking about Those kind of DDOs like ICMP floods or syn attacks, like SYN floods. Like you just needed a significant amount of benefit that didn’t make you a hacker. Like you’re taking a network offline, that’s not hacking.
And so I, and I know there’s people that will disagree with me, but I just have never seen that as legitimate hacking. Like you said, it’s Like, I’m not at a barbecue. It’s.
Joseph:Yeah, it’s, it’s just a disruptor. Somebody just wants to take down a.
Alissa Knight:Service, not at a barbecue, you know. So, yeah, so I started back in the days, like if you, I don’t know if you, if you remember this, Joseph, but a site called Security Focus Security.
Joseph:I do, yeah, actually, I do remember.
Alissa Knight:In packetstorm, so, you know, publishing exploits on packetstorm and Advisors. So I was, I was part of the open disclosure community. And so, you know, it was, it was, like I said, it was just a very different time.
And when you, when you publish vulnerabilities, you were always worried about getting sued by the manufacturer, right? There was always that threat of lawsuit. And as a matter of fact, the first Black Hat briefings that I spoke at was hacking vpnet VPN appliances.
I had been fired from my job at SBC for speaking at Black Hat and because they had a relationship with vpnet where, you know, that, that gave them like, hey, look, you know, we’re going to be doing a significant amount of business with vpnet, we need to deal with this. Just fire her. And so I got fired. And. But you know what, A lot of great things came out of that. And so I couldn’t not do it.
There were so many networks that were being protected by VPNET at the time. You know, VPNs were God’s gift of security, Triple des encryption, Ike Isacam, you know, all that stuff.
And so I felt this sort of moral obligation to talk about how you can completely circumvent and bypass these devices. And so, but it was a start for me. And one of the things that I get asked a lot is, okay, I want to be a hacker, I want to be a penetration tester.
What should I focus? I was like, first of all, you can be a generalist, where you’re just a generalist network penetration tester. But I really wanted to niche myself.
And my niche was black boxes. And it really started with being publishing the first advisory on hacking VPNs.
I discovered that our secure, I can’t remember the name of it, but it was a VPN company. And I discovered that they had hard coded the root password into the SSH binary.
And so if you typed that password in, it gave you a root prompt on a vpn.
And it was really started my foray into not only do I want to be a hacker, I want to hack things that are just black box devices that you don’t have access to the source code and you don’t have anything except an IP address and services that are running on it. And that was my, my sht. That was what I wanted to do. I just feel, you know, and it’s weird because I.
So I agreed, like completely agreed because, you know, not having access to the source code, not having access to anything, I mean, and you want to talk about a black box pen test, literally is that it’s. You’re not given any information, you’re not given anything at all to help you on the pen test versus a white box pen test.
And, and I think that’s what was exciting for me because it was such a labyrinthine area of security that I was like, this is my place. Like, this is, this is so challenging and it’s such a maze in trying to like figure out what this device does and try and figure out how to hack.
It was cool to me. That really was my niche. So. And then I got into API hacking.
Joseph:And the rest of Share a little bit of your history in the API. Because for me, I think that’s definitely one of the biggest challenges I see for many organizations today is everything’s becoming.
We look at it from, you know, entire automation perspective and workloads and, and communications and systems are talking to each other, cloud’s talking to each other. We set up so much automation and all of it’s channeled through APIs, either to share controls, commands, data flow, access changes.
How are you seeing the world of API security today and what should people be thinking about or concerned about?
Alissa Knight:Sure. So for those of you in the audience who don’t know what APIs are, APIs stand for Application Programming Interfaces.
And what APIs are is they’re basically the worker bees in the backend that are performing a particular function that’s being requested of it. So think of it kind of like a waiter at a restaurant that goes back into the kitchen to deliver your order.
The waiters is delivering what you’re asking for and that’s an API. So everything communicates with APIs. It’s the plumbing of today’s world. The mobile apps on your phone Connect with APIs.
tty much every car made after:So I re in realization that it was such a massive attack surface. I really wanted to focus on the API. So I wanted to get away from hacking black box things, devices to APIs. And so there are different types of APIs.
There’s what are called REST APIs or RESTful APIs and GraphQL. So you, you approach the compromise of, of REST APIs differently than you would from GraphQL.
So to me, this was a massive attack surface because this is where the, this if, if you want to, because all of you need to remember hacking went from defacing websites to profiting off of hacking. Right? It’s a, it’s a massive profit center now.
And so you look at ransomware, you look at whatever and the profit comes from the data that you compromise. So you can lock and leak, you can, you can encrypt it and then, and then ransom the company to get it back or you could sell it on the dark web.
Joseph:And a lot of extortion is one of the.
Alissa Knight:Extortion?
Joseph:Yeah, extortion, overt ransomware in the past, which is pretty, pretty impressive.
Alissa Knight:Exactly.
You know, so now it’s gotten to a point where not only are we going to extort you for getting your data back, but we’re also going to double dip and we’re going to sell it on the dark web. And so I knew that attention was going to shift towards APIs.
Now the thing is, is that in penetration testing, just because you meet a senior pen tester doesn’t mean they know how to hack APIs. I’ve met 20, 25 year hackers pen testers that won’t touch APIs. Right. They’re more generalist.
Network pen testing, splitting services and then getting a shelf, which is great, which is fine, fine. But you know, when. So API. To me hacking APIs is very much sort of like a subset, if you will, of hacking.
And so the great researchers in this area, Cory Ball, Dr. Katie Pesticide, his.
Joseph:Book is awesome Hacking APIs.
Alissa Knight:Yeah, it’s super, super great guy, hard of Gold and Dr. Katie Paxton fear. And so you know, we in this sort of circle, if you will, are always trying to put content out there to teach people how to hack and secure APIs.
And that’s how I hacked the law enforcement vehicles was I discovered a vulnerability in the car makers APIs that allowed you to remotely start and stop the engine of any vehicle on the road and lock and unlock the doors, which obviously is a massive vulnerability, a massive problem, especially in law enforcement and then healthcare, healthcare providers and payers that are trafficking, storing in trafficking our phi across APIs and those not being properly secured. So it is a real problem and it continues to be.
And I think as we move into this, I shouldn’t even say that anymore now that we are in this age of AI where Agentic AI is writing the code and, and people that are deploying that not realizing, hey, you need to also have the AI agent secure the code. I think it’s going to get worse before it gets better.
And I think that as more and more APIs are being written by AI and apps are being written by AI, it’s, we’re going to start regressing back to the days of hard coded keys, you know, things transmitting over HTTP.
And I can talk all day about the flaws in agentic AI code development, but you know, the problem is, is that a lot of organizations are putting people at the, at the keyboard to have AI write code not knowing how to properly secure.
Joseph:Absolutely. We’re getting a lot of vive engineers and you know, it’s more like prompt engineers who are.
I attended a hackathon recently and literally we just prompted our way to creating an application over the weekend.
Alissa Knight:Yeah.
Joseph:And then we just had to create a template and we had to write some code. But majority was done for us. We just had to go and make sure that it understood the platforms, understood the data set that we’re working with.
But it did a lot of it. I do say it’s, it’s good at writing code, but it’s not good at writing secure code.
Alissa Knight:Right? Yeah. Like it defaults to a lot of things like, like using HTTP instead of TLS, setting really easy to crack passwords like Joseph 1, 2, 3.
Like not hardened passwords at all. And so you have to catch stuff like that and you have to constantly watch it.
And, and please understand this, I’m not denigrating vibe coders or vibe coding or agentic or swarm coding. That’s not the point. I think it’s just all. We can have respectful discourse around this topic because I think it’s very interesting.
But I see swarm coding is the next evolution of the ide. Right.
This same argument was had when we went from assembler to C and C. You know, you got higher level programming languages, there were always debates over you not being a real coder because you’re using this higher level language. So I think it’s just this next evolution.
But what needs to happen is we need to really take a hard look at the models that are writing the code to teach them about shift left security like you mentioned, and building security into the code as it’s being written because the people.
Joseph:It should be the default.
Alissa Knight:It should be the default. Like come on. Setting password 1, 2, 3. Like I’ve seen LLM models set password 1, 2, 3 as the password because.
Joseph:Of using the Internet as machine learning.
Alissa Knight:Yeah.
Joseph:I mean what’s the most common used password out there? Oh, let’s use that for our default password. Yeah.
Alissa Knight:10 Worst passwords. You know, and that’s the problem. And I think, I think we will get there. I feel like we will get there. It’s, that’s. And I love this.
And I’ll plagiarize MKBHD on this. This is the worst it’s going to be. That’s the thing that you need to remember is amazing. But it is flawed as AI is right now.
It’s still the worst it’s going to be. It’s only going to get more advanced and more sophisticated from here and going in there.
For Anthropic to go in there and retraining Claude to implement Shift left security and do things securely as it’s being built is quite simple. Right. It’s just getting there. It’s getting to that point.
Joseph:Absolutely.
I really enjoyed at the IC2 Congress Chris Vaisoppel Walpond, who’s the founder of Verticode, he actually shared their research during IC2 about the whole secure by design and the Shift left and they have seen huge improvements in the improvement in coding to where you’re using AI to code. It’s actually getting one part equal to, to human coding. But the secure coding is, is, is improving slowly.
It’s getting there right now it’s, it’s, it’s about equal still but it’s getting made better. You’re absolutely right.
We’re, we’re in the, we’re in the stage where it can only improve and learn because we hope, we hope somebody doesn’t make a mistake somewhere like it learns to get worse.
Alissa Knight:Yeah, yeah. It’s a.
Look, here’s the thing I would say and again this is, I understand this is a very divisive topic but I would say that coding models right now are junior level developers.
So I think it’s, and don’t get me wrong, it’s amazing what Claude is capable of and other models are capable of with creating microservices and kubernetes containers and in docker containers and kubernetes and stuff like that. Microservices. It’s amazing. But still I think where they are at right now with development is very junior.
I think what’s, what’s compounding the problem is not just the, the level, the degree of, of where they’re at with co development, it’s the short term and long term memory problem. It’s it’s the memory problem.
Because what you’ll see happen, if you’re not policing it, is the, the model will drift in the middle of development and start doing that’s antithetical to what it had written before, or creating a duplicate service in your microservices cluster that is, you know, that’s duplicative of something it already created. The memory problem needs to get fixed.
And so, you know, there’s a lot, I know that there’s companies, recently funded companies that are attacking that problem of trying to, you know, having a really good understanding about the human brain and how our neurons fire and form pathways for memory for long term and long term, mature term memory and trying to turn that into code. I’ll, I’ll be honest with you, Joseph. Like, this is a big reason why I left Hollywood and came back into.
Joseph:I was, I was, I was going to get to that point as well.
You know, it took a slight, you know, a diverse direction for a while, which I so enjoyed because I think it is definitely exciting about what you were doing. Can you share with the audience, you know, what you did? What? And also a little bit about the Ares Project as well that you.
Alissa Knight:ee years ago. So no, this was:Sorry, 20. 20. Going back too far.
During COVID I was approached by a cybersecurity vendor to create a film where I was doing a lot of content creation and a growing subscriber and follower base and on YouTube and across the socials.
And a vendor came to me and said, look, you know, we want you to create a short film where you’re hacking into a network, but our product prevented you from hacking it. And I was like, oh, this is, this is a cool idea. Let’s do this. So I went to University of YouTube, right?
Because you don’t need to go to some expensive college anymore. You just go to University of YouTube. And I like, okay, what is cinematic? How do you make, you know, what lighting camera?
You know, what are the best cinema cameras? What? So we started buying all of this production equipment and learning Rembrandt lighting techniques and you know, Aries and red cameras.
And so we made the short film and it was their most successful marketing campaign.
I want to say that they spent like, I think they spent like 50k, 50,000 on the video and it brought in seven figures in revenue for them just off that one short film. So because it was this radical new way of cybersecurity marketing where you’re telling a story versus go download our white paper.
Joseph:You know, storytelling is how it should be done all the time.
Alissa Knight:Yeah, it’s, you know, banner ads, you know, I mean, it’s, it was storytelling and it was so cool. And so you can actually still find it on YouTube if you’re interested.
Joseph:But, but you send me the link, I’ll add it to the show.
Alissa Knight:Yeah, I will, I will, I will. And so, so we did that and it led us to more sort of the same kind of work.
And we were realizing that as this money was coming in, this revenue was coming in for production, we really. My wife Melanie, and she was our director of photography from very early on and was great at it.
And we sat down, we’re like, oh, man, we’re actually good at this. And it’s fun. Let’s see where this takes us. And I feel like that’s sort of the, the, the banner for Night Group now that, you know, we, we’ve.
We’ve started so many companies at this point and we’ve sold so many companies.
Joseph:How many? 19 Was it? I can’t remember.
Alissa Knight:It’s crazy. It’s like, it’s like, I want to say it’s like 10 companies now or 12 companies, but, you know, we have a coffee company.
You know, we, we, we realized that this is what we want to do, so we sort of took a break from Hands on Eyes on Glass, Cyber, and we decided to go into Hollywood and actually start producing TV series. And so we’ve produced seven TV series to date. We recently got picked up by Zero Gravity, the producers of the Accountant and Ozark with Jason.
Joseph:This is amazing. That’s such a fun movie.
Alissa Knight:Yeah, yeah. And the Accountant with Ben Affleck. And they’re. So there’s. We’re doing a lot of work together.
They picked up our entire slate and so we’re super excited about it. But, but now I think what, what happened was. So one of the things you need to think about is that Night Group is a. What’s called a venture studio.
So unlike a venture capital fund, instead of investing in other people’s startups, we invest in our own incubated companies. So Night Group incubates its own companies and we fund it through Night Group through our family office.
And so we’ve got like a Coffee Company, the TV production company. We also have a video game studio. MasterCard retained us to develop a AAA quality video game where you can actually.
Joseph:Play a hacker Best way to learn.
Alissa Knight:Yes, yes, yes. In a game. Gamify your your learning experience. Please don’t do it unauthorized.
But you know you can hack into banks as a hacker and play the ciso, play the soccer. It was really cool. And so we’re, we’re working on this journey with MasterCard right now and where that takes us, but you know where.
So we have these different companies and, and so. But I realized sitting there while I was working in entertainment that I let’s let that company continue like we do with all of our companies.
But I want to shift focus now to back to Asale, which is this new AI cybersecurity company that we’ve started in and has developed Ares. And you asked about Ares. So Aries is an agentic AI platform for autonomous penetration testing. So we’re building offensive cyber Systems built on AI.
And Aries specifically targets mobile apps and APIs. So you can drag and drop a mobile app into Ares and she will take it apart, de obfuscate the code if there’s obfuscated code.
And it’s a 100% customal. So we’re not using any Frontier models or any other company’s models. It’s our own custom baked, trained model.
And so she also will attack the APIs that the mobile apps are talking to.
So for the companies that have an API footprint, which is pretty much every company, Aries will identify the vulnerabilities, exploit them and work with you in fixing them. So it’s really feel like this isn’t the shiny new toy, it’s not the new NESSA scanner, it’s not the new NMAP scanner.
AI is transforming the cybersecurity industry. And I took a step back and I told Mel, I’m like, look Mel, I need you to focus on the studios, I need you to focus on night tv.
I want to shift focus back to cyber and I really want to see where we can take a sale. And it’s just been taken off like wildfire.
Joseph:So it’s amazing.
Alissa Knight:It’s really cool. Yeah. I’ve taken 25 years of hacking experience and created these JSON L training files to train this model.
Joseph:So I was from the picture I have in my head is like you’ve created your mini version of the Tamagotchi?
Alissa Knight:Yeah, pretty much. Mel looked at her and she’s like, you, you’ve created a digital twin of yourself.
Like that’s, you know, it’s cool because she’ll like, she’ll like talk to me while she’s hacking into A network. So because I’m not always looking at the screen.
So I, I, you know, put in this, this text to voice, converse so she’ll actually talk and you can actually have a view into her mind, look at her thoughts. So I also implemented what’s called hierarchical reasoning. So it’s a hierarchical reasoning model, parallel thought.
So it’s really, every day she’s taking leaps forward and I, I’m, I’m so excited about it.
Joseph:That’s really exciting.
Alissa Knight:Yeah, yeah, we’re, we’re seeing where it goes.
Joseph:There’s always a. Yeah, it’s all about probability and the more you can get, the higher probability, the more successful it becomes. Which is, which is impressive. And you’re already training it on your knowledge.
Alissa Knight:That’s exactly, definitely want to communicate. We don’t, when we start companies, we don’t walk away from. We, we, what we do is we bring in a CEO to run it.
Like one of our largest companies is an MSSP called Briar and Thorne.
And so the program manager, Carolina Ruiz that we hired as a PM is now running group, so she’s running all of the different Briar and Thorne subsidiaries. And so we have this model where we’ll form a company and bring in a CEO that’s much smarter than me, you know, to come in and run it.
So it’s very much, very much like an incubator. Right.
Joseph:That’s amazing. I think that’s fantastic. So how do you stay educated in knowledge?
Are you still doing the University of YouTube or have you found other passions that keep you entertained and keeps you motivated?
Alissa Knight:I used to say like, oh, it’s X, it’s Twitter, it’s the social. Here’s the thing, I feel like we live in such an exciting time and the fact that that knowledge is everywhere.
And so I feel like one of the biggest problems is not the availability of how to hack or how to pen test or how to get into cybersecurity. It’s us taking time out of our day to take those training courses.
So many people who’ve spent hundreds, thousands on signing up for courses and then forgetting about the login, forgetting that they signed up for it and not taking it and then it expires.
And then, you know, I feel like what we need to do is as an industry is really go out there, look at what we can rely on for capacity building and actually take the time out to sit down and learn. And you know, I’ve had a lot of people reach out to me on social media, like Alyssa can you teach me how to be a hacker? Like, how do I do that?
How do I take 25 years of experience and sit down and chat with you on LinkedIn and teach you how to be a hacker? That’s not possible.
Like, what you need to do is you need to take your time out, look at the different platforms that are out there that have great courses on the things that you need to learn to get into cyber or get into pen testing and take those courses and put in the time. Joseph, you’ve put in a lot of time in your career to get where you are. I have. Everyone has.
So it’s taking the time out to actually take those training courses. Demi. I mean, there’s a. And you mentioned YouTube. YouTube, you don’t have to pay for that.
You can go there and find the YouTubers who are producing great content.
Joseph:Amazing. It’s amazing what you can find. And the detail on what they’re sharing is unbelievable. The podcast as well is one of those avenues.
And I completely agree with you. One of the things is that organizations should be looking at AI to replace employees.
What they should be looking at AI is to free up a lot of their time so they can actually spend more time. Becoming more valuable through training and knowledge is investing in the people.
To be the trainers of your AI is to become, you know, the ones who are overseeing being navigated over, you know, providing the checks and balances and helping educate it. That’s where we should be investing. I will say that we should be shifting. You know why we should talk about shifting left in the security.
We should also be doing that with our people, is that we should be putting more time aside. I think some companies, it’s like less than 5% of the year is done training.
It should be 30% because that really kind of technology is changing so fast that if we don’t invest in knowledge and also not just, but wisdom, we want our employees to be on like as up to date and as fresh and a technology as possible so they can make really smart decisions about the future direction of companies.
Alissa Knight:Agreed.
I think one of the shocking things that I found in a lot of my vulnerability research was that a lot of the organizations who were developing code internally and hiring developers were not sending their developers to. To secure code training. And you’re right, it’s a real problem. They’ll send them phishing emails as training throughout the year.
Joseph:And that’s not. That’s not training.
Alissa Knight:Yeah, they won’t find that.
Joseph:It’s always a challenge.
I always say that the way that we do phishing training, like phishing campaigns and awareness is it should be about, you know, not to catch the employee off guard, but to test, to do check on your systems and to see where you need to make improvements and to help, help employees be able to become, you know, more, let’s say, not being afraid to ask for help, being more noisy when they’re seeing things. Listen, this has been amazing. I’ve so much enjoyed this. It’s been way, way over, over, over too long that we’ve been speaking together.
We definitely should not let it go this, this length.
Alissa Knight:Yeah, it was. I’m so glad that you, the Security Congress and said hi.
I’m thankful for being invited onto your show and hopefully I was able to positively influence and affect at least one person in your audience. But, you know, it’s one of, I think the moral of the story is just don’t be afraid to go after what you want to do and go after your dreams.
Don’t worry about the negative. Nancy’s out there saying that AI is going to take your job and AI is, is going to look there.
It’s creating more jobs than it’s, than it’s taking away.
Joseph:Yeah. It’s about being smart.
It’s about being really, you know, choosing where to focus on is going to be the really crucial time is where to spend your time.
Learning today is critical and definitely, I mean, you, you are an inspiration, a role model and a mentor and you’ve done amazing things for the industry. So always keep up the amazing work you do and hopefully we’ll get to catch up again soon.
So many thanks for, for being and joining, joining me on today’s episode. This has been awesome. Awesome.
Alissa Knight:Yeah. I appreciate you and, and you’re doing the same with your platform.
So I, I always have a great deal of respect and admiration for, for other content creators and those who are doing it because this isn’t easy though, what you. I know it’s not, it’s not easy. It’s a lot of practice approbation to.
Joseph:You but what makes it is the awesome guests such as yourself. That’s what you know.
And it’s the highlight of, of my week because I, you know, when you’re remote and far away from and you don’t, you know, see it at passion conferences and so forth, this is the moment I get to spend dedicated time and get to pick your brain with the questions I’ve always had.
Alissa Knight:Chill out session. Yeah. And I’ll send you the link to the video that sort of started it all.
And yeah, happy to entertain any questions from your audience or if they want to reach out to me on, on social media like LinkedIn or you know, feel free to. And yeah. And for those of you who are interested, we are offering free access to Aries when we launch it. And it’s not launched yet. It’s not GMA yet.
We’re launching in the beginning of the year. Once it’s launched, we are offering free access to her. So it’s asaleai.com a s s a I l a I.com okay, awesome.
Joseph:I’ll make sure all of the, the links will be in the show notes so it’s easy for the audience to find it. So and you answered my next question which was going to be what’s the best way to people to contact you?
Alissa Knight:Yeah, yeah, I, yeah, I’m really, I try and make myself as accessible as possible. You know, all my, I’ll, I’ll give you all my contact information, put in the show notes as well.
My email address and LinkedIn is, is probably the best way to get me. But yeah, they can also email me as well.
Joseph:Awesome. Super.
So for everyone, this is Elisa Knight, the awesome hacker who’s really taking in and changing the world and making us all safe at the same time. Which is, which is fantastic. So for everyone, hopefully this has been educational. Hopefully you got a lot of insights.
And tune in every two weeks for the Security by Default podcast. Really bringing security for everybody. And hopefully my passion again is also to make the world a safer place.
So take care, stay safe until the next time. Thank you.
