Podcast: Play in new window | Download (Duration: 29:54 — 27.4MB) | Embed
In this episode of The Security Ledger Podcast (#255) Paul speaks with Niels Provos – a cybersecurity luminary who helped build Google’s security team from the ground up. Paul and Niels talk about his latest project: the Cyberhouse-Collective, which hopes to inspire new generations of cybersecurity professionals by fusing infosec themes with Electronic Dance Music (EDM), and we check out some of his own music, released under the moniker Activ8te
[Video Podcast] | [MP3] | [Transcript]
One of the biggest cybersecurity challenges we face is the problem of awareness. Software is now central to the operation of our economy – as digital transformation washes over every industry. And yet, the awareness of cyber security risks – from phishing and social engineering attacks to software supply chain compromises – remains low.
Nobody knows that better than our guest this week. Niels Provos has a storied, two decade career on the forefront of cybersecurity, starting in the late 1990s with his work as a graduate student on phenomena like steganography and honeypots. That work landed him a place as a founding member of Google’s security team, where he worked for 15 years, rising to the position of Distinguished Engineer and helping to develop protections for everything from denial of service attacks to safe browsing features to defenses against nation-state actors following the infamous 2009 Operation Aurora attack on Google by hackers linked to China’s People’s Liberation Army (PLA).
Niels’ subsequent work included a stint as the Head of Security at payments startup Stripe. He’s now at Lacework, a cloud security firm, where he serves as the Head of Security Efficacy. His work taught him plenty about cybersecurity – but also gave him a sobering appreciation of the difficulty organizations have in actually changing outcomes.
“I’ve been working on this now for 25 years and I just don’t feel it’s getting better,” Niels told me.
A pandemic epiphany
And then the COVID pandemic happened. With Niels – as with so many of us – the pandemic prompted big changes to his day-to-day reality, as well as a reconsideration of where he’d been, and where he was going. In Niels’ case, that meant leaning into a budding interest in making music. He signed up to take some virtual classes in electronic music production at Boston’s Berkeley College of Music. His growing interest in producing electronic music soon fused with his interest in cybersecurity – prompting questions about how one might help the other.
“One of the things that I’ve been bemoaning is the poor state of security in the world. And then you read about the scarcity of talent. And then I was like maybe I can combine all of this. And I decided to produce cyber security themed EDM tracks, where each track covers some security topics in the hope of, being fun to listen to and what people would feel like would like to dance to this.”
— Niels Provos (Activ8te), Head of Security Efficacy at Lacework
Meet Activ8te
The result was the birth of Activ8te, Niels’ alter ego and the creation of the Cyber-House Collective in 2022, an effort to infuse EDM with lessons about cybersecurity informed by some of the top talent in the industry. The goal: inspire and educate people around the world about important cybersecurity topics like the dangers of phishing- and social engineering attacks, as well as network compromises.
In this podcast, Niels and I dig into his music and also some of the larger challenges facing the cybersecurity industry and our economy at large, as cybersecurity risks and attacks proliferate even as cybersecurity talent and expertise remain scarce.
To start off our conversation, I asked Niels to talk about his journey to the cybersecurity industry, and how he got interested in making music.
Video Podcast and Transcript
Video Podcast
Click below to view the video of our interview with Niels. Or, visit our YouTube channel.
Transcript
Niels Provos CDM – Cyber Dance Music
[00:00:00]
Paul Roberts (Security Ledger): Okay, welcome back to the security ledger podcast. I’m Paul Roberts. I’m your host and I’m the editor in chief at the security ledger and really thrilled today to be in the studio with Niels Provos, who is an OG in the cybersecurity community and also notable for being a music producer who has really ventured into this synthesis of electronic dance music and cyber, and how could we not talk about that?
Niels, welcome to The Security Ledger Podcast. It’s it’s great to have you on the show.
Niels Provos (Activ8te): Thank you, Paul. I really appreciate the opportunity and think that we’re going to have a great conversation.
Paul Roberts (Security Ledger): Absolutely. Maybe [00:01:00] just start off though for our viewers who haven’t, don’t know about you, talking about your journey to cyber and how you came to the infosec industry.
Niels Provos (Activ8te): Yeah, absolutely. All of this for me happened by circumstance. I became system administrator for the physics network at the University of Hamburg. And that was really the first time I got exposed to VMS and Unix and all these concepts like internet was still fairly new then.
And I discovered that I became very quickly curious how it all works. Ended up in the U. S. at the University of Michigan for a PhD in computer science, where I explored security topics such as, honeypots and steganography, which is the art of secretly communicating messages without anybody knowing that you’re even communicating.
And then,
Paul Roberts (Security Ledger): Images and stuff like that…
Niels Provos (Activ8te): yeah, that’s right. It was primarily images. And, the funny story there is that I was about to present at Usenix security [00:02:00] on some paper that got published. And in the meantime, I’d been working on detecting steganographic content, at scale on the internet. And it started talking about it.
And then 9/11 happened, and I was in Greece on vacation, without really having connectivity to the internet. And we found out about September 11th, we’re basically walking by an electronics store that was showing news on the TV. And so I decided I would dial up with my laptop to university number in Athens, and I got this request from Air Force intelligence who wanted all of my research on steganography, which I then provided, but we decided to change my presentation at the conference, then on the steganographic work, which was quite interesting. And when I came back to the US, I said, look, I realized that with these intelligence services, it’s all a one way street.
You send them stuff you never hear back. [00:03:00] And so a day later, this agent sent me a thank you in email. And my advisor swears that he had no communication with them whatsoever.
And to this day, I don’t know how this happened. It seemed, rather suspicious.
And back then I was still thinking of becoming a professor, but the job market for professors wasn’t great because all of the research labs collapsed. And while I was on the west coast, I interviewed with Google and
Paul Roberts (Security Ledger): Google. Now they do, what do they do again?
Niels Provos (Activ8te): So back then, that was 2003, Paul. They were a search engine. In hindsight, right? Before I started at Google, I was already an avid Google search user just because it was so good, but never really expected what Google would turn into in, in the end. And so I joined in 2003, became one of the very first members of the security teams and then stayed there for 15 years. And the journey, has been quite interesting. I [00:04:00] started working on denial of service protection for Google at scale. Then I helped build the safe browsing project, which I think at this point literally protects over 4 billion devices from, web malware and phishing, but I think for Google, the wake up moment was really Aurora in 2009 when Google was compromised by actors we believe were backed by the Chinese government. And, before that, Google already had quite an emphasis on security, but it was not that the standards were lax or that we didn’t care about it, but that was a wake up moment, like no other. And over the years, we literally grew the security organization to a thousand engineers. And I think for a company like Google probably got to as good as security as you can get in that kind of business, but never really good enough to be able to say now we are safe from nation state actors. Nobody can say that. But I think what Google can say is any nation state [00:05:00] actor. It takes a big risk of discovery and public embarrassment because you remember in the past, companies would not disclose, Google was one of the very first companies that actually disclosed something like that had happened.
And, in the end, Google, I managed most of the security engineering teams. The span of problems was quite large from building custom security chips that we put into millions of Google’s motherboards to have a trusted route on hardware all the way to building cloud security infrastructure and cloud security products.
But Google had gotten too large for me. I think when I left, it was Google proper was, I think, 92, 000 full time employees, Alphabet was under 20, 000. And now the numbers are even larger. But at that time Patrick Collison, the CEO of Stripe was looking for somebody to lead the security organization at Stripe.
And my predecessor was Mudge, who I have known, for many years. And, he said, Hey, Niels, I would feel much better if you were to take [00:06:00] over from my role, because then I feel like the team would be in good hands. And and so I was at Stripe for maybe, three and a half years and the goal was really to make Stripe as good in security as you could possibly make it.
And so we came up with an incredibly compelling security roadmap, made a lot of progress and my claim. And this is probably somewhat biased, but it’s Stripe fully implements that roadmap. Their production security is going to be better than Google just because, we got to learn all of those lessons.
And it’s a much smaller company with less complexity. And so you can get some of these systems just right from the get go. And so part of the journey, I think I grew this security organization from 30 to 160 people. Also quite a substantial investment. And when I say growing, people with security expertise, but mostly people who can actually write [00:07:00] software and infrastructure.
And I think that is where sort of the challenge is for most companies that they don’t know how to get to a good security. And they only have very few that know how to do that. And after Stripe, I didn’t really quite know what I wanted to do, as the music that I’ve been working on has been, quite entertaining, but I decided to join a startup called Lacework, because they really want to build a security platform that leads to better security outcomes for customers.
Paul Roberts (Security Ledger): One of your other superhuman powers Niels, is as a musician and you perform under the name Activ8te and you’ve created just a really interesting body of electronic dance music.
Cyber themed. So tell us are you a musician kind of going back to your childhood or is this something you got interested in as an adult or where did this career and where’d the focus on EDM start?
Niels Provos (Activ8te): Yeah, perfect. This is [00:08:00] all fairly new to me, but it is rooted in security because, and you and I, when we spoke before, we spoke a little bit about mental health, one of the challenges with being in the CISO role or a head of security role is the stress. That gets put on you by the problems that you become responsible for is just incredibly large.
And my way of coping with this during COVID was the, I don’t have to commute anymore. Is there something that I can do that would both provide reprieve from the stress at work and also be expanding my horizons? And so I started playing electric guitar. And then I figured, I should really figure out how to make music.
So I took a few classes at, Berkeley Online College of Music on producing electronic music. And then everything came together, right? One of the things that I’ve been bemoaning is the poor state of security in the world. And I’ve been working on this now for [00:09:00] 25 years and they just don’t feel it’s getting better.
And then you read about the scarcity of talent. And then I was like maybe I can combine all of this. And I decided to produce cyber security themed EDM tracks, where each track covers some security topics in the hope of, being fun to listen to and what people would feel like would like to dance to this.
But also where some of the lyrics are, maybe Oh, he is talking about social engineering. Oh, he is talking about denial of service and misinformation. Maybe there’s something more for us to learn here. And and so my aspiration with this, Paul, and, don’t laugh too loud. Is sort of use the music to get more people interested in pursuing a career in security and ultimately win a Grammy and then have a platform at the Grammys to talk about the need for better cybersecurity.
Paul Roberts (Security Ledger): Yes. And therein reaching more people than, any administration has with their announcements. Yeah.
Activ8te – I am Tracking You: I saw you slept [00:10:00] alone last night Your bedroom’s looking like a dark and lonely sight. You took a shower with your phone And I won’t expect it when your secrets become known Will you tell me now? Can you disavow? Don’t hide it, cause I know your secrets …
Paul Roberts (Security Ledger): I must say the music itself is really good. How do you like conceive of your songs? Do you start with the music and the kind of groove and beat, or do you start with I want to do a song about social engineering which, you’ve got a song about…
Niels Provos (Activ8te): It’s the latter. And in some sense, I use a little bit of a brute force approach to music and all of this work where I basically say, what would be an interesting topic and with Netrunner was sort of social engineering because inherently. [00:11:00] We as humans are just vulnerable to it.
None of us, it’s safe, right? I, who have spent 25 years in security and keenly aware of social engineering can be socially engineered. And so then, natural, I was a little bit special because we were wondering, what is the way in which we could attract even more interest in this, and so we decided maybe we just put it in the cyberpunk universe.
And the track was released roughly at the same time as Cyberpunk 2077 came up with their Phantom Liberty game, and we thought there might be some more interest. But then I have this really great collaborator in Chicago called Jake Lizio, who is a great guitarist and a great teacher, and we have been collaborating together on all of these tracks, but sometimes I would also go to former colleagues at Google and say, hey, we are working on this topic.
You want to help with the lyrics? And, Ellie Burstein, who is a friend of mine, and he does, deep [00:12:00] learning and security. Has contributed to some of these tracks, but then basically we say, what are the topics that we want to cover? Are there lessons that we want to convey? And then we come up with the lyrics and then we pitch around reference tracks and some musical ideas and then incrementally build it into the finished product. But since I’m just doing this sort of, on the weekends and part time, it easily takes six months, to complete one track.
Paul Roberts (Security Ledger): So you mentioned Netrunner. Let’s check it out.
[Netrunner video plays.]
[00:13:00]
Paul Roberts (Security Ledger): Okay. So awesome. Watch the video. It’s an amazing video. Not surprisingly, she seduces the engineer and manages to plant malware on his systems.
Niels Provos (Activ8te): A terrible stereotype….
Paul Roberts (Security Ledger): Actually, you know sexual attraction and that is often a doorway into social engineering attacks going You know we’ve seen that via linkedin and other venues as well So yeah, it is a stereotype. On the other hand. It’s also based in reality.
So first of all who’s singing there? And Social engineering is a deep and complex topic. So when you came at it what did you want to make sure you communicated in this song?
Niels Provos (Activ8te): Yeah, perfect. So the singer is Laura Weinbach from Foxtail’s Brigade. It’s [00:14:00] actually a group in the Bay Area. And I got to know her when she was singing and performing at a farmer’s market. And they used to have a vocalist who I actually met at Berklee Online on the East Coast, but she dropped from the face of the earth. And, for this track, I needed to find a new vocalist. And Laura was
Paul Roberts (Security Ledger): Berklee College of Music in Boston, not
Niels Provos (Activ8te): That’s right. That’s right. Yes.
Paul Roberts (Security Ledger): And on the lyrics I must imagine for like engineers who are also musicians and they’re, that’s actually not that uncommon to have to fuse these different parts of their brain, right? Like the types of technical problems you work on with lyrics for an EDM song probably an interesting challenge.
Niels Provos (Activ8te): Yeah, I actually find writing lyrics quite challenging. And there’s a lot of back and forth. And NetRunner is actually one of the tracks with the least technical lyrics, because we wanted to appeal to a broader audience. But we thought the concept of social engineering and the fact that we, that, you may just, that you hear what [00:15:00] you want to hear and that you act.
Based on what you believe and not what’s really going on is something that could probably resonate, with lots and lots of people. And the protagonist in this track is actually a homage to Lucy from the Netflix Netrunner show, which I thought was incredibly well, well done, maybe a little bit graphic and violent, it’s basically really empowered female protagonist, very smart, very savvy, but also sexy and then knows how to. basically get her away.
Paul Roberts (Security Ledger): So for software engineers, look of all different genders and backgrounds who are watching this video what’s the message for them? Is it just hey, watch out they’re going to have, somebody’s going to try and hack your brain basically or what,
Niels Provos (Activ8te): You would like to say that there is something learnable here, right? That we can watch this video and say, Oh, I’m just falling for the obvious trap. And, I should just be more cautious. And, whenever I [00:16:00] do something, I should think about it twice, maybe before taking an actual sleep over it.
It’s all very rational advice and makes a lot of sense. And we have all heard it, many times over that the problem is as humans, we are not rational, right? We are intrinsically motivated through our emotions. And, I think the best thing that we can do there is get much better at self awareness, but I think, hopefully some of this is going to stick with people where they see even in the video a sequence of semi plausible events that leads to the complete shutdown of the power in a city.
Activ8te – Patch Your Network: Better patch your network! Better patch your network, ay, ay…better patch your network! Better patch your network, ay, ay, ay…better patch your network ay, ay, ay… It’s called a lateral movement, [00:17:00] baby when you infiltrate my network Gravities are insistent lately And I’m feelin vulnerable. Better patch your Network! Better patch your Network ay, ay…, Better patch your My IDS is flaring up So I know that someone’s watchin Give me a minute to build it up A firewall that will stop your hacking …
Paul Roberts (Security Ledger): You’ve got another song that I love just called Patch Your Network.
Niels Provos (Activ8te): Yes, and that is much more technical in the lyrics.
Paul Roberts (Security Ledger): Talk about that. What’s the message there? And and how did that one come about?
Niels Provos (Activ8te): Yeah, so the vision was really, imagine you’re a security artist or you’re a security engineer in a threat detection team and it falls upon you. [00:18:00] To find out and detect and remediate and quickly fix anytime something ends up going wrong. And that is a 24 7 job, right? Only because it’s not your work time doesn’t mean that the adversaries aren’t after you.
And so it paints a little bit the picture of, a really skilled. adversary who goes after the network that you’re responsible to protect, right? And so some of the lyrics are, I’m scared at night because I’m sleeping and all of my defenses are on their own. And if you watch the music video for that, it has some it has some Easter eggs. And really, I can give it away here. It’s really inspired by SolarWinds.
Paul Roberts (Security Ledger): Inspired by SolarWinds How?
Niels Provos (Activ8te): In the sense, SolarWinds was compromised by Russians. Incredibly sophisticated group. I think APT29 took over a year, but I think before
Paul Roberts (Security Ledger): Infiltrated the development pipeline, studied how they wrote the [00:19:00] code…
Niels Provos (Activ8te): just incredibly sophisticated, right? The way that it worked, they compromised the build machine and they were watching every single build that happened. And when the Orion software was built, they would quickly swap out the source code on the file system and right afterwards put the old one back.
Really hard to find, right? And then for the companies who were compromised by that sort of, Backdoor to the Orion binary, they were super careful there as well, right? They had three different stages of command to control before anything would even happen to get network. And in that song, it’s really about the yes, right?
These are these incredibly sophisticated adversaries, right? The lyrics are, it’s not just. Metasploit you use, your RAT is also quiet, and RAT here is for remote access Trojan, which basically is, how you get the backdoor into somebody’s network, and even that there fits that you don’t find it anymore.
Paul Roberts (Security Ledger): One of the things that struck me is like in cybersecurity, there is a lot of tension. There’s a lot of [00:20:00] adversarial situations. In some ways, it does lend itself to songwriting and narrative in ways that probably are helpful to you as a composer and as a lyricist.
Niels Provos (Activ8te): Yeah, my sense is inherently the experience of art and music. It’s an emotional experience, and I certainly feel that with any of the problems that we are talking about, I can empathize with them, right? I’ve been in similar situations and have that emotional connection. And, hopefully, as I mentioned earlier, hopefully get more people interested in the, this is a fascinating space.
It is acute. It’s going to be acute, for many years. Maybe I can have a career here and do something to better the world.
Paul Roberts (Security Ledger): Final question, and you cued it up perfectly. We are at a time when the federal government, in particular CISA under Jen Easterly, is taking a lot more active role in trying to raise awareness and provide guidance and help to both end users, [00:21:00] but also to software development organizations, around software supply chain security, secure development, secure by design concepts. But they’re doing it the traditional way, they’re issuing guidance and guideline documents would you recommend that they take a different and more sort of broad minded approach of maybe trying to reach people again through, through dance music or through, videos , and worm their way into developers brains in a different way. Yeah.
Niels Provos (Activ8te): First of all, I love what CISA is doing. I think what they’re doing is great. But let me tell you a funny story. So at work people are clearly aware that I’m making this music. And so we have started playing it at the cafe during lunchtimes to get more people in tune with these security themes.
And the CISA is running the Cybersecurity Review Board. And they were very kind and invited me and other people at Laceworks to present to [00:22:00] the board. And we wrote a pre brief for them. And in that pre brief, I basically wrote the, the main problem with security is incentives.
But another huge problem is there is not enough skilled people who know how to do the job. And then I was saying, oh, by the way, one of the authors has this unique way of getting more people interested in security. Listen to his tracks. In the brief that we’ve printed the CSRB and, for a moment, I was wondering, maybe CISA is going to make this mandatory listening for all federal employees,
Paul Roberts (Security Ledger): Yes.
Niels Provos (Activ8te): The problem with security is all about incentives. 99 percent of the problems by which companies get compromised have well known and well understood technological solutions. And the problem is just that sort of, it’s very expensive to get better at security.
And in many ways, companies are rational players, They will do what they feel is right to the business and the customers. And if [00:23:00] security is really expensive, then the answer is usually I go to my security person and say, Hey, if I give you this investment, what can you promise me? And then the security person usually says I’m going to be raising the security bar.
I’m going to be limiting the blast radius. And then the CEO says can you promise me there’s not going to be a security incident. And then the security person says, no, I can’t promise you that. And then a very rational decision is great. Let’s just wait for the next security incident, deal with it.
Then in the meantime, the resources I promised you, I’m just put back into the business to get more features and customers. And so I think what CISA is doing is helping with changing some of those incentives. By providing very clear guidance by setting standards on what is acceptable behavior, probably not going far enough.
One of the things that I’m sometimes musing about is whether fines for security incidents would just be much larger and maybe insurance should be mandated. And then you can delegate the [00:24:00] assessment of companies to insurance companies. Of course, that would require that they are capable and competent as well. And one of the things I’m concerned about is the trend that we see to hold CISOs personally liable. I think we saw that
Paul Roberts (Security Ledger): Solar winds
Niels Provos (Activ8te): Sullivan at Uber and now with SolarWinds as well. In my mind, that just sets really poor precedent. Because if you are in a role that is already not set up to succeed, And you do the best that you can.
And now you also know you’re going to be held personally liable. Who wants to take a job like that?
Paul Roberts (Security Ledger): Yeah, and if you look at other industries, whether it’s. Food production or manufacturing automotive we know how to do it, which is you pass laws and regulations that set a high bar and then you hold organizations to account. And by doing that, you’re bending the market in favor of them doing the right thing.
But we, software is, It’s everywhere. It’s ubiquitous. It’s every industry, right? And so it’s a much, much higher bar to [00:25:00] clear.
Niels Provos (Activ8te): And we just don’t know how to write secure software. So if I think a great example, and I don’t know if you are done time wise, but there’s a tangent that we could go on that I think is really
Paul Roberts (Security Ledger): Go, let’s go on it. Let’s go.
Niels Provos (Activ8te): So I mentioned to you before how we don’t know how to measure security.
And it’s very hard to say, here’s the amount of investment. And what does the security return that I got. And at the same time, we are saying everybody needs to get better at security, right? Your software shouldn’t have vulnerabilities. It should not be exploitable. I think both iOS and Android are great examples.
Another track that I wrote is I’m tracking you. It’s basically about ubiquitous spyware and talking about the NSO Pegasus platform. Which is basically a commercial product sold to governments across the world that allows you to compromise basically any phone user, right? Giving some government full access to all of your data.
And [00:26:00] sort of one term in that realm is called a zero click attack. Basically, can I compromise your phone without the user needing to have any kind of interaction, usually by sending a message to a WhatsApp or
Paul Roberts (Security Ledger): you a text message.
Niels Provos (Activ8te): Exactly. And so there’s actually a market for these vulnerabilities, and we can look at how expensive they are.
And I also know, from people who I know who work both at Apple and Google, that there’s been an incredible emphasis on making these phones more secure, right? Because the user base is huge and, these companies want to be very responsible. So if you look at the cost of a zero click end to end exploit, I think maybe in 2016, two million dollars. Then if you forward a few years you find that A one click end to end attack runs for 8 million. The latest numbers, I think, as of this year, the fully [00:27:00] working end to end zero click attack on iOS or Android runs for 20 million. And so then what is these companies, Google and Apple, have Immensely focused on increasing the security of their phones and the operating system. And it shows, right? These attacks are so much more expensive now, but there are going to be new ones.
Paul Roberts (Security Ledger): There are. And if we could all, if every device maker could raise the bar so that zero click on their platform costs 20 million, then we’d be in a much better place. But the. The unfortunate truth is it’s more of the, 1111 default password attacks that we’re seeing out there, particularly in the sort of, consumer device space, the IOT space that bar is set so low and in essence, like you said, that’s because we’ve more or less left it at the discretion of companies to decide how [00:28:00] big a priority security is and not held them accountable for the fallout from that, which is borne by companies and by consumers.
Niels Provos (Activ8te): That’s right. And that’s, I think, the other problem with all these incentives around this, the costs are all indirect. You and I bear the cost. So we don’t even know about it, right? Because our data gets stolen and misused
Paul Roberts (Security Ledger): MOVEIt. I don’t know about you, but I got three sets of, letters, but for me and my kids from different, providers who had been using MOVEIt, healthcare providers and stuff like that. So I’ll, all of us had our data stolen multiple times, multiple different people, just because of, one vulnerability in a managed file transfer app. Ouch.
Niels Provos (Activ8te): It is a sad world we’re living in, which is why we need more people who can help make security better.
Paul Roberts (Security Ledger): And better music to listen to while we’re doing it.
Niels Provos (Activ8te): That’s right. Exactly.
Paul Roberts (Security Ledger): Neil, is there anything I didn’t ask you that I should have or anything you wanted to say, I didn’t give you a chance to say.
Niels Provos (Activ8te): I just think we all have to work on continuing to increase the [00:29:00] awareness on security and then hopefully get to a place where we can actually take security and privacy as a given. Whereas at the moment, I feel like we all have to individually fight for it to even have a little bit of a chance.
Paul Roberts (Security Ledger): Thank you so much for coming on and speaking to us on the Security Ledger podcast. I really appreciate it.
Niels Provos (Activ8te): My pleasure. And hope to talk to you again soon.
Paul Roberts (Security Ledger): Yeah.
