Security news that informs and inspires

Q&A: Joseph Menn on the Cult of the Dead Cow

The Cult of the Dead Cow began as a small group of like-minded friends in Texas in 1983 and grew into one of the more influential and venerable hacking groups to emerge from the early days of the Internet. The cDc shares several members with the L0pht, another seminal hacking crew, and many of its members have gone on to considerable success, whether in the technology field or in medicine or the arts. Or even politics. Dennis Fisher recently spoke with journalist Joseph Menn, author of a new book called Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World, about the group's far-reaching influence on hacking culture, the tech industry, and the emergence of hacktivism.

Dennis Fisher: So how did you settle on Cult of the Dead Cow?

Joseph Menn: So it's not obvious on the surface, right? I mean, these guys peaked in fame like 20 years ago and a lot of young folks hadn't heard of the Cult of the Dead Cow. But my process was that, I'm an old guy and I've been covering cyber security and hackers for 20 years. And, I guess I'm best known for a previous book, Fatal System Error, which said that the Russian government was in cahoots with organized criminal hackers, which now seems like totally obvious, but when I published that in 2010, it was pretty radical. So that did really well because it was arguably the first mainstream popular book that sold a bunch of copies that says, hey, we're really screwed here. The combination of, you know, fairly indefensible technology, attack surface, geopolitics and the legal system, which, you know, allows pretty crappy software to propagate without liability. So, you know, that book brought like sort of widespread attention to it and even people in Congress read it. And since then there've been all these other books that say, well, this, this aspect of cybersecurity is terrible and that one's terrible. And you know, here's something about the surveillance state and here's something about the, you know, the military industrial internet complex and they're all, you know, a lot of them were quite good, but they're all sort of going the same direction. Like, we got a big problem here. And I decided that I wanted to do something that was more about what direction we should go in, sort of like a way forward, something that was more helpful than just, you know, calling attention to the problem because so many people were doing that. And so I also was trying to capitalize on the fact that I've been around for awhile. There are lots of younger, more energetic folks that can code now writing about cyber security. But I'm trying to think of some way I could leverage the fact that I've been around for awhile and you've seen sort of the ups and downs and I decided that what I wanted to do was, was find something that had that had worked or something that had been a real positive step in the past and see if I could bring that forward. You look back to the people that have been in something similar in the past. So what did we do the last time we were in a Cold War, what did we do last time that there was a complete split in society about some critical issues? With cyber security, one of the nice things is the heroes from the last one, the veterans are still around. So we can just go and ask them and that's what I tried to do. And these guys, they go back 35 years, you know, to the beginning when there was not a worldwide web. They are still around doing a variety of really interesting things in government and nonprofits and in the private sector. And the debates they had internally, their own moral development I think is a great way to sort of distill the key battles of the past.

Dennis Fisher: So as you started to look at the cDc as kind of an overarching group and their relationship to the security industry and the Internet as a whole, what was your way into this story?

Joseph Menn: Well, so one thing that was useful to me was the sort of chronological development, and actually this reminds me of my first solo book, which was about Napster. And one of the advantages to writing about Napster were two-fold. One, everybody had heard of it. And yet there were things that people didn't understand about what was going on in the inside of that company, which is as crazy as anything that's going on outside of the company. But the other is that the central figures where kids, you know, 17, 18 years old and they came out to Silicon Valley. And my purpose in writing the book was to educate people about how crazy Silicon Valley in the late Nineties was, you know, both in good ways where it brought forth great innovation and in bad ways where crazy greed heads corrupted those developments, which is exactly what happened with Napster. But the beauty part from a narrative perspective is that the 17 or 18 year olds don't know anything about venture capital. And so if you can recreate what it was like for them as like the VC comes in and pitches how this works, or the lawyer comes in and, and, and sells them, that their case is defensible, whatever, it's easy on the reader because you're bringing it to the reader's attention to your, you don't have to take a break and explain the history of Silicon Valley, because the kids are learning it too. So you learned through their eyes. And so that's what I wanted to do here. I mean, when the cDc started they were 13, 14 years old, you know, so you get the excitement of the ability to connect for the first time, even though it's a pain with the creaky modems that are run by hamsters and whatever. The most important part of this whole thing is sort of the moral development, the ethical calls, which are not only being made by security practitioners everyday now, but by mainstream tech companies, Google, Facebook. The moral calls they made when they're 13 or 14, you're like, well shit, is it better to steal a little long distance service from a lot of people or a lot of service from like one big company that won't even know?

If you start out with small moral stakes like that, and then you see the same people have to make bigger decisions, okay, now we've got a flaw in Windows architecture and Microsoft won't answer the phone. What are we doing? Now do we share it among our friends so that we can all hack more random people and go exploring? Do we give it to the U.S. government? What do we do? Quite famously, it was basically to have media circus, to go to DEF CON, start rapping and throwing out CDs with powerful software on it because yeah, some people are going to get hacked because of that. More of them definitely. But it's also going to force Microsoft to pay more attention. There are all sorts of close calls that are really important that are happening in obscurity or you know, a classified level that need broader discussion because they affect all of us.

Dennis Fisher: Yeah, there's a lot of parallels for that. That was 20 years ago, which is literally the dawn of the public internet. And there's still researchers grappling with that same question, how do I handle this? I think the cDc guys, what they did and the L0pht guys, had kind of the same approach.

Joseph Menn: I think that's an interesting thing. So, in retrospect, they were the pioneers of what is now called responsible disclosure, which is kind of the law of the land now. I don't think a lot of people realize how the L0pht and cDc work together, but they were the classic good cop, bad cop. So there were four people that were in both the L0pht and cDc over the lifespan of both. The L0pht did public advisories, you know, that are some of the first widespread advisories that really got vendors’ attention, but they were always sort of playing by the rules. I mean they didn't want their real names out, but they were interested in getting the government's attention. They got to go testify before Congress in 1998 and that was a real wake up call for folks. But when Back Orifice and Back Orifice 2K came out, that was giving exploits tools to the masses. And so there was kind of this unspoken thing where like, you know, if the L0pht doesn't get your attention, then meet my uncle cDc and they'll get your attention.

Dennis Fisher: There's some folks that I think a lot of people in the industry knew were members of cDc but had never really acknowledged it publicly, that you reveal in the book, with their permission, one of whom is currently running for president, Beto O'Rourke. So tell me a little bit about how you came upon that piece of information, how you decided how to handle it.

Joseph Menn: I've known about this for a long time now, but the idea that a hacker is a serious presidential candidate is kind of mind blowing. When I was exploring doing a book about cDc, I knew, in addition to their long history and the known players like Mudge and Chris Rioux, who founded Veracode, all these really significant figures. I knew some other things about it, and one of the things I turned up in that preliminary reporting is that they had a member of Congress who had been in, and they wouldn't tell me. The members who were speaking to me at that point early on wouldn't tell me which one. And I didn't know if I was ever going to figure out which one it was and if I did, if that person would talk to me or not. That was one of the factors that went into my saying, yeah, I think I can do a book on this that people would want to read. And so that was in my book proposal and I said, there is a congressman, I didn't say which one. And then I explained sort of the arc, like why that made sense as security is becoming more fundamental to technology as technology is becoming more fundamental to the economy and to social life and to geopolitics. And it is at some level appropriate and to be expected that sooner or later these security experts are going to play more central roles in our lives. But anyway, so I knew there was a congressman, I tried to figure out who it was and I happened to see that there was a guy running for Senate in Texas, who was in the sort of magic age bubble, which meant that he came of age after WarGames, the movie in 1983, and before the Computer Fraud and Abuse Act in 1986. So when you see what's possible and before it's explicitly criminalized, a very large number of the cDc folks fit into that bubble. So he fit in. So he's the right age. He was from Texas, which is where the group started. And he was in a punk rock band. And so I made a guess to my best cDc contacts and they wouldn't say one way or the other. They were like, no, we're not going to talk about that. But maybe we could talk about it after November. Well, that's the Senate race, so, okay, so I didn't have it, I couldn't report it. I didn't know it. Anyway I asked can I have the information under embargo, and so they said yes and they said it’s Beto. I said, holy cow. At that point he was running for Senate and after some time passed I had the opportunity to meet him. And I told him what I was doing. I told him the story, the book would not appear until after November. And he said, yeah, sure. And then he agreed to an interview and he was terrific.

"Given their history as coyote tricksters, I can't take their word for anything, so I needed backup anyway."

Dennis Fisher: Aside from Beto, what would you say were the most interesting folks to interview for the book?

Joseph Menn: One of the things I like about cDc is that it's such a big tent, so you've got people that wound up doing very serious work for the government. I mean, as serious as it gets for the government running DARPA’S cyber security program on offense and defense. That's Mudge. Then on the other end of the spectrum, you've got an experimental filmmaker, and you've got, you know, a graphic artist. So it's hard to pick a favorite there. I mean, the point in some ways was the range. The outstanding contributor to government cybersecurity award goes to Mudge, who served in DARPA and has done other very interesting things, including starting a sort of Consumer Reports system for evaluating software on safety grounds without access to the source code. The corporate defense private sector award goes to Chris Rioux, who cofounded Veracode, now a $1 billion company, which made a dramatic difference in sort of the balance of power between software vendors and the big buyers, who evaluate the binaries. And then it's sort of like the cultural wing of the house, like the liberal arts section of the hacker underground. Deth Veggie, who I named for the first time in the book, is a really interesting character who was the cDc’s minister of propaganda and he was around for 20 years. He was really kind of the heart and soul of the group and kept it together. And then probably the most gray character, it would be Oxblood Ruffin. So this is pretty much the father of hacktivism, and he comes in after cDc is already pretty established, already pretty famous or is well on its way and he's the one that sort of cajoles them into doing more overtly political stuff. So, helping people in China circumvent censorship in the great firewall. But he also makes some shit up, a fair amount of it that deceives my brethren and sistren in the press. It was hard for me to set aside my personal kind of revulsion at falsehoods and marketing and spin, which, you know, are sort of like the enemy of what I do every day. But because they, and Oxblood in particular, in response from tall tales, they brought a lot of attention to pretty serious things and got people excited to contribute time and effort and credibility to helping folks do good things.

Dennis Fisher: The anecdote that you're referring to mainly is the Hong Kong Blondes story, which goes a long way I think to showing exactly the way that information can be manipulated in this way. A lot of that kind of misinformation/disinformation is still going on now.

Joseph Menn: Early on I said that there's a lot of stuff they did that is, on balance, it works, but is not a clear call, is not 100% that was the right thing to do, which is like life and it makes them more interesting. And the Hong Kong Blondes is certainly one of those things. A large percentage of that story, if not all of it, is made up. And yet it galvanized a lot of folks. I sort of trace it, you know, to some clear good actually being done. So, I mean, it's all spelled out in the book, but they spin this story, it gets media attention. Somebody reads it who's actually helping the Tibetans. The story is about an alleged alliance between the cDc and these underground dissidents, tech savvy dissidents in China. Nobody besides Oxblood has ever claimed to have met any of these people and Oxblood admits that he met one of them. But it was reported as truth in places like Wired and the LA Times. A couple of years later, somebody who's helping the Tibetans who are dealing with all kinds of Chinese malware coming at them in India gets in touch with Oxblood, comes to DEF CON and is on a panel with Oxblood in 2001 where it's all about hacktivism and they stay in touch. And eventually that guy brings Oxblood to India to also help out the Tibetans and then Oxblood inspires the Citizen Lab, which was doing just amazing work and it has been for decades now at the University of Toronto, and Oxblood introduces the people in India to the Citizen Lab folks. And this becomes the GhostNet report, the, the raw material in the GhostNet report, which is the first public accounting of an advanced persistent threat.

Dennis Fisher: Is there anybody that you wanted to interview for the book but weren't able to get for one reason or another? There's probably a few, I'd imagine

Joseph Menn: It was super hard to get Kevin Wheeler, the founder of the group. There are lots of people that did not initially want to cooperate and certainly were not interested in getting their real names out there, but I am sure that was one precondition. And another one was access to internal emails because given their history as coyote tricksters, you know, I can't take their word for anything, so I needed backup anyway. Kevin Wheeler was like the incredible showman that founded the group and that led the DEF CON presentations in like rabbit fur chaps and a cowboy hat while rapping. And not only did he not respond to my inquiries, but his effective number two Deth Veggie had to harass him for months. And the thing that finally did it was that he said, look, I'm going to send you a singing telegram unless you get on the phone and talk to me about Joe Menn's project. I eventually got everybody I needed to get.

This transcript has been condensed and edited.