CyberWire Daily - Cult of the Dead Cow author Joseph Menn extended interview. [Special Editions]
Episode Date: July 28, 2019Our guest today is Joseph Menn. He’s a longtime investigative reporter on technology issues, currently working for Reuters in San Francisco. He’s the author of several books, the latest of which i...s titled Cult of the Dead Cow - How the original hacking supergroup might just save the world. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Hello, everyone, and welcome to this special CyberWire extended interview. I'm Dave Bittner.
Hello everyone and welcome to this special CyberWire extended interview. I'm Dave Bittner.
My guest today is Joseph Menn. He's a longtime investigative reporter on technology issues,
currently working for Reuters in San Francisco. He's the author of several books, the latest of which is titled Cult of the Dead Cow, How the Original Hacking Supergroup Might Just Save the
World. So I picked the Cult of the dead cow because I was looking to write something
sort of more positive about the industry and give folks an idea of what can be accomplished.
Because sometimes, you know, having covered cybersecurity for 20 years,
it can be awfully grim.
The architecture of the internet is against you.
The sort of software business market is against you, and geopolitics are against you. So I know this because, you know,
I've written about it extensively. And my previous book, Fatal System Error was about that. And in
particular, I singled out the Russian government's alliance with organized criminal hacking gangs.
But you know, that was to illustrate the broader point of how dire the situation was. And that came out in 2010. And since then, there have been other
books that have pointed to one or another aspect of how terrible things are. And I could have done
another one of those. But instead, I wanted to find something that was hopeful, you know, something
that was truthful and important, but would give, give a bit of a roadmap of how to how to fight this, this terrible thing. And it so happens this,
this group, the cult, the dead cow was perfect for the story, because they go back 35 years
to every iteration of, you know, the internet, really, and have had just this extraordinary
influence, well beyond their sort of like blip
of fame for a few years, 20 years ago. They've just done amazing stuff.
Well, let's go back to the very beginning then. What are the origins of the group itself?
So the Cult of the Dead Cow was born in Lubbock, Texas in either 1984 or 1986. And it started out in the in the bulletin board era, where people had 300
baud modems and it in order to connect online, it was a tremendous effort and not very satisfying.
And so it was these guys, the originals were, you know, young teenagers, 11, 12, 13, you know,
they'd gotten kicked out of the sort of like the
local bulletin board for being like too young and ignorant. So they wanted to be elite by
themselves. So they created their own bulletin boards. One of them was Demon Roach Underground.
So that was the home board of a kid who took the name Swamp Rat, which was later more
grand, delicately named Grandmaster Rat.
His real name, I put in the book, is Kevin Wheeler.
And, you know, he was a misfit.
Most of these kids are misfits.
They're smart, but they didn't, you know, fit in with the culture in Texas.
And they were really desperate to communicate with each other.
So they had these bulletin boards.
And back then, frequently only one person could connect at a time.
Right, right.
And so it was really tedious.
So by necessity, the early folks are early tech adopters because they're the only ones who would have put up with it.
And so the actual name itself, is there any record of how it was coined?
Sure, sure.
So there was a creepy abandoned slaughterhouse in Lubbock. And so that's where the idea of the dead cow came from. And, you know, we're talking about teenage boys here and they wanted to be edgy or nobody would show up. So there was like there was another board called KGB. And, you know, it was just part of the shtick. And, you know, they wanted to they wanted to seem a little a little edgy or nobody would pay attention.
So they start, I guess they build this sort of virtual clubhouse for themselves and their other group of friends that they gather together here.
So how then does it evolve to sort of common activities and, you know, efforts that they're making as a group?
Right. So there are a number of keys or transitions.
In the beginning, what brings them together,
this group of independent bulletin board operators,
were the Cult of the Dead cow text files.
So text files are just essays.
They could be fiction. They could be nonfiction.
They could be about, in the case of the CDC,
some of them were about hacking, and some of them were just, you know, funny. So it was sort of like underground paper, like underground
newspaper, high school underground newspaper type stuff. Some of them were political, they're
frequently funny, and sometimes they're obscene. They distributed them, you know, to other
bulletin boards. And there were a lot of like important, like sort of marketing decisions
that the group made. And one of them was to number these text files. Other bulletin boards would want to have on hand like CDC, you know, numbers
one through 10, or so forth, you know, they didn't, they wanted a complete set. And so while
other, many other bulletin boards did text files, the CDC ones got spread pretty widely and got,
you know, famous for that era of the internet. Another really big transition
happened because one of the early members was a kid named Jesse Dryden, whose handle was obscene,
and so I won't mention it here. But the first part of it was drunk. And Jesse Dryden founded
one of the earliest hacking conferences called, it came to be known as HoHoCon, beginning in 1990.
It was over Christmas break, and it was originally called XmasCon. And it has the came to be known as hoho con beginning in 1990 it was over christmas break
and it was originally called xmas con and it has the claim to be the first modern hacker con in
that it invited cops in the press previously cops had showed up to hacking conferences undercover
and tried to build cases against uh and or arrest uh the other folks. This is sort of like a turning point where it got to be more open.
And HoHokan brought together not just other sort of like, you know, kids who are interested
in this stuff, but really much more technologically advanced hackers, including a troop from Boston
in the early 90s, who would be or already were in the loft, which is this iconic first shared
hacker space and had some of the leading technical minds of that generation.
And so as the group grows, are they putting any sorts of guardrails on themselves?
I'm thinking of dealing with things that might be illegal.
I'm thinking of dealing with things that might be illegal.
I remember back in those BBS days, phone phreaking was a popular thing because you had to deal with things like long-distance charges.
Was there tolerance of that sort of thing, or did they self-police themselves?
How did it work? So this is very interesting, and I go into this in quite a lot of detail in the book.
In the beginning, everybody was stealing long-distance service, because if the bulletin board wasn't in your area code, then you had to pay long-distance fees, or if you're trying to download anything, a program, a game, anything like that.
You're going to be connected for a long time, much longer than you would be to just chat to your cousin or some friend on the other side of town.
So these kids were all looking at multi-hundred dollar phone bills, and the parents would cut them off after one month of that.
would cut them off after one month of that. So they basically all scrambled to get calling card codes, credit card numbers, or other ways, illicit ways to connect online. And so
this book made some news, in part, you know, a few months ago, because I revealed that Beto O'Rourke,
who had just declared for president had been a member of CDC back in the day. And yes,
he admitted to stealing long distance service so he was we now
have the first actual hacker running for the united states uh president which is still kind
of mind-blowing even though i've known about it for a while it still blows my mind but so there
was kind of this moral forge that happened where everybody had to consider you know what was okay
about breaking the law and was it better was it okay morally some for some reason to steal from
uh at&t because they're you know they did you know you disapprove to them politically or they're
a monopoly or whatever and people you know it's it's hard to justify as as as an adult but um
you know when you're 13 and you really really want to connect you're going to cut some corners
but what's interesting to me is that people do their own moral lines. There was a wide variety. Some of the people in CDC
did many more things that were considered criminal, but it was never a focal point of the group.
And it was for some others like Legion of Doom, Masters of Deception, quite famously. And they
were breaking into all kinds of stuff and, you know, hacking each other in pretty serious ways,
which led to a lot of them being arrested.
And that was never what CDC was about. to cross that line actually makes them more reflective about what is appropriate what isn't then the clean-cut kids they're just coming into cyber security today they went to like a nice
college and went for a big company and just start doing cyber security things those people can be
kind of sleepwalked into doing things that they might later think is a bad idea. There's a scene in the book where Mudge, one of the
most famous members of CDC, is at DARPA, the folks that brought you the internet. And for
a while there, he was running their cybersecurity grant making program. And people, because
he was a serious, very serious, talented hacker and author of hacking tools, people in the
intelligence agencies were asking him like, hey, can't we just go do this?
And Mudge would say, well, you could, sure.
And that's illegal.
And even to talk about it is illegal.
And it's also wrong.
So don't do that.
So because the intelligence guys were always under the, or very far removed from scrutiny,
they had the same issue as some young corporate type.
You know, they're lawyers and they don't have to worry about this stuff.
They just, you know, think of stuff they can do.
They don't have to be sort of like the one-man band, thinking about the legal aspects and the moral aspects that the old-school hackers were.
Yeah, is someone going to come knocking on my door, or even worse, on my parents' door?
Or hacking the heck out of you in revenge.
I mean, there are lots of—it was much harder.
A lot of these
guys, you know, had to fend off rival hacking groups and stuff like that. But it was, you know,
it's in part because the internet was new. And it wasn't as compartmentalized as it is now. I mean,
there are people who specialize just in hardware hacking, who don't know much about software. And
there are people who specialize in one, you know, just operating systems and don't know about other
stuff. So I mean, it's,
that's, there's also something lost there. These guys, a lot of them are really generalists, and we're really curious about other parts of the security setup. And, you know, one of the
things I admire about CDC is that they went beyond the technical stuff and sort of approach the media
and and politics with that same sort of critical hacker mindset.
We need to make things better writ large.
And maybe we don't know anything about how Congress works,
but we'll figure it out if we have to.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages,
it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat.
Travel moves us.
Travel Professional for details. Conditions apply. Air Transat. Travel moves us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
approach can keep your company safe and compliant.
What was the hierarchy within the group itself? Was there leadership? Were there folks who were clearly in charge? Yes. So Grandmaster Rat, who started the group,
had two people he considers co-founders, but they both disappeared within the first few years.
So it's really been Kevin's show the entire time since the mid-80s, at least since the late 80s.
But he's interesting. So he has this amazing sort of stage presence, and he describes himself as
like a hype man. Many people got to, many people got to hear about CDC
in the late 90s when they're sort of at their height of fame.
And for two successive years at DEF CON,
they put out these Trojans that allowed script kiddies
to break into any Windows box.
And they did it for a completely justifiable reason,
which was to force the monopoly Microsoft
to actually take security more seriously.
Because regular criminals could already break into all these machines,
and Microsoft wasn't doing anything about it.
So they wanted to make a spectacle and embarrass Microsoft and the media
into taking security more seriously.
But the guy, Kevin Wheeler, was the one that was pacing the stage
with the cowboy hat and chaps and doing a call and response for the crowd
and sort of playing hacker response for the crowd and like sort of
playing hacker villain for the cameras. So it's always been his show. But he is actually in person,
something of a recluse. He lives in New York now. He never talks about this stuff. It was very hard
to get him to talk to me. He's not sort of running it day to day. I would say there are a few people who joined in the early 90s who are the sort of the cultural leaders of the group.
You know, there are some that are more active than others.
Over the whole life of the group, there have been maybe 50 members, but there are only around 20 that are active at any one time, people going in and out.
go in and out. But among the people who are the biggest sort of cultural leaders are Luke Benfai,
who has the name Death Vegetable or Death Veggie, and Omega, whose real name is Misha Kubeka. He was the text file editor for many years. And so all the CDC text files went through him. And Death Veggie,
I think he took the title Minister of Propaganda.
So he was the one that sort of took the lead in dealing with the media.
Yeah, and I have to wonder, I mean, it strikes me that as a group like this that starts out with a bunch of people who are teenagers and young adults,
and young adults, that it can survive this long,
that it can survive that initial group going into adulthood and having to face all the things that all of us do as we become adults,
with bills to pay and families and so on and so forth,
that it's been able to survive those changes, I think is quite remarkable.
It's not only remarkable, it's unique.
There is no other U.S. hacking group that has had
anything like that kind of a career. And again, it's funny, depending on somebody's age and when
they came into the scene, some people will say, oh yeah, CDC. When I first got online, those were
the first text files I saw. And other people that came in a little later, it's like, oh yeah, I was
just starting to hack. And the first tool I used was Back Orifice, which was one of those publicly released anti-Windows tools.
And then other people who say, oh, yeah, the first thing I heard about them was I was into politics, and I heard about this thing called hacktivism, which is something that the CDC invented. So all these successive phases of security work, or sort of
internet culture, the CDC was in the forefront. And they just kept making those transitions.
So after the year sort of 2000, 2001, you know, and they've been in the spotlight for years,
then they, you know, most of them at that point are running businesses or out of security,
or they're into something else. And so the spotlight moves off them, but they keep doing these amazing things. So Mudge goes
into the government where he creates the cyber fast track and gives small amounts of DOD money
to promising individual hackers like Charlie Miller, which had never been done before.
Some of them form AtStake, this seminal sort of hacker boutique that sends
people inside Microsoft and all these other big companies, and really helps to help show them like
where they're doing security wrong. And then the sort of like that the hacktivism activist wing,
led by a guy who was using the name oxblood roughen, his real name is Laird Brown,
inspires major developments in Tor, the privacy tool
since endorsed by Edward Snowden, aids in the sort of thinking around the creation of
the Citizen Lab, which today is still the world leader in tracking how governments are
using technology against their own citizens.
So it's just, it's this amazing run against what still seems like an impossible field
to make a real difference in.
They kept doing it, and they did it in multiple ways.
Has there ever been much diversity in the group?
Were there any women, any minorities that were members?
Not as much as the group itself would like.
There's one email Kevin sent to the group that said, you know, why are we 95% white males? That was a problem in
the industry as a whole. And it was a problem in CDC. And there are some people that they
definitely should have invited in that they did not. But they did invite in Lady Carolyn,
whose real name is Carrie Campbell. And that was at the behest of Beto O'Rourke way back when they were just bulletin
board kids. So that made the CDC one of the very few hacking groups to that old to have a full
member who is a woman. And I think, you know, I think that's pretty interesting that, you know,
Beto O'Rourke from Texas, you know, did that instead of just keeping it a, a, a guy's club. There was one
hacker of, um, of Indian descent. And then, um, I guess in a sense you could say that, uh,
one of their members, Craft Cat was, uh, uh, pansexual and multiracial, but that's only
because Craft Cat was fictional. Um, when they were really embarrassed about, uh, some hack or
some file, instead of using their real handles, they would just attribute it to CrestCat.
Interesting.
Now, the subtitle of the book is
How the Original Hacking Supergroup Might Just Save the World.
Tell me about that.
What's your notion here that they could be the group to save the world?
Well, they've already done, as I've outlined, some pretty amazing things.
save the world? Well, they've already done, as I've outlined, some pretty amazing things, right?
So there's AtStake, which included people like Alex Stamos, who went inside and became chief security officer at Yahoo, which he left on principle after a secret court order asked for
Yahoo to turn over, to search all of its users' emails for something. And then he went inside Facebook as chief security officer
and blew the whistle on Russian election interference.
So I think historically a very important move.
Also from at stake, we get Windows Snyder,
who was the driving force between Windows XP Service Pack 2 at Microsoft,
which was a great leap forward in Microsoft security.
And then there's Katie Masouris, who is sort of known, I guess, as a godmother of the bug
bounty movement.
She got Microsoft to pay its first bug bounties, got the Pentagon to pay hackers who were also
working within a friendly framework.
And then there's Veracode.
So Chris Rue, the same guy who wrote Back Orifice 2000, the 99 sequel to Back Orifice, founded Veracode with another member of the loft,
Chris Weisopel. And Veracode allowed big software buyers to see what the binaries in the code that
they paid for were actually doing, as opposed to just looking at what the source code thought they
should be doing. And that really was another way to tip the scales away from the software oligopolies and monopolies
to the customers who have been generally left in the dark and with very little recourse.
So there are those things. There's the entire hacktivist movement which continues to this
day in various flavors. But I think really more than anything, it's the idea of
critical thinking that hackers as sort of outsiders and critical thinkers have tremendous value for
society, which is something that Bitter Work has cited in his interviews with me, and this sort of
sense of moral purpose. And I think big tech is in a lot of trouble right now, not just security,
but big tech is in a lot of trouble right now, not just security, but big tech is in a lot of trouble right now because it's lost touch with those roots, with the sense of technology being something that
is supposed to make people's lives better. It's been about, you know, improvements in technology
and about profit. And it hasn't really been about helping people. And that's become sort of more and
more clear in the past two years as Facebook has become a playground for
organized disinformation, as all the other tech companies are either helping the Pentagon with
artificial intelligence or facial surveillance for the cops or making deals with China.
There are all these major moral calls that have upset the workforce inside these companies. And
you have sort of this unprecedented rank-and-file activism now.
And I think a lot of that is because the people running these companies
didn't go through this sort of moral forge that the old-school hackers did.
They're making some bad calls here.
And so I think the way these guys saved the world, in theory,
is that the rank and file and the leaders
of these companies sort of revisit the importance of ethics and what they do. And there are a lot
of other things that can happen as well. Engineering schools these days require typically a philosophy
course. But that can mean that, you know, an EE student takes a course in Plato. What should
happen is that they should require case
studies the way that business schools do. And so you learn from, for example, the Challenger
disaster, where they interview everyone afterwards. And they say, well, the engineer said,
well, I felt this pressure to act like a manager instead of an engineer. And that's why I let this
launch go forward, even though I knew it was probably going to end in disaster or had a good chance of ending in disaster.
So the engineering schools can do things better.
And the professional associations, IEEE, ACM, all these groups can have more elaborate ethical codes.
They can have sort of continuing education requirements.
And there needs to be sort of like a pro bono tradition like there is in law and medicine. All that is really doable. And I think really necessary
if tech is going to pull itself out of the mess it's in right now.
Well, the book is The Cult of the Dead Cow. Joseph Mann, thanks so much for joining us.
Thanks for having me, Dave.