We discuss Joseph Menn's latest book, Cult of the Dead Cow which tells the story of the oldest, most respected American hacking supergroup of all time. Though until now it has remained mostly anonymous, its members invented the concept of hacktivism. Released the top tool for testing password security, and created what was for years the best technique for controlling computers from afar. Many of these hackers have become top executives and advisors walking the corridors of power in Washington and Silicon Valley. Including Mudge, WeldPond, DethVeggie, and even former U.S. congressman from Texas, Beto O’Rourke (aka Psychedelic Warlord).

 

Joseph: Thanks very much for having me.

Eric: I am well. I'm waiting to see how you kick this one-off.

Carolyn: Joseph has some author's notes at the beginning of the book. If this is okay with you, Joseph, I'd just like to read a couple of little parts from them.

Joseph: Sure.

Carolyn: They really summed up the book for me. The beginning of your notes, you say, "Technology is deciding the fate of the world, and we are everywhere in its chains." As I read the first half of your book, those chains were really heavy. It was depressing for me. I just thought, what chance do we have as a society?

Carolyn: You end your notes with this, however. "In a time of wider moral crisis in technology, this book is a rare message of hope and inspiration for tackling the worst problems before it's too late." I felt that the second half of the book, I feel like I have some newfound heroes.

Eric: I feel like Joseph got to your soul, Carolyn. Almost like the Marine Corps. He broke you down, and then he brought you right up at the ending.

Carolyn: He did. Wait until you hear some of these guys, what they did, these pimple-faced teenagers, what they turned into. I want to start with the first half of the book. Joseph, give a summary of who and what the Cult of the Dead Cow is.

Joseph: One of the reasons I picked the CDC to write about is, I wanted to illustrate something that was positive.

What Can Work in a Pretty Dark Time

Joseph: I wanted to hold up an example of things that can work in what is a pretty dark time. In addition to their accomplishments as a hacking supergroup and as individuals, they're handy for me as a narrative device. They go all the way back. They're still around, unlike most of the hacking supergroup of the time. That's 35 years now.

Eric: 1984, it's crazy. Five years after the first virus came out.

Joseph: They kept changing, they kept evolving. It's like after the book came out and I dropped the bomb about Beto. Matt Blaze said, "Oh, my God, Beto was in nerd Skull and Bones." It was like this Skull and Bones is this Yale secret society that one or more Bushes were in, and they're weird.

Joseph: They have this great real estate in the middle of campus. Then they tap you on the shoulder and say like, "Skull and bones, in or out," or whatever. Practically everything else is a myth. We don't even know what's true about them, and Cult of the Dead Cow is like that, on the way to the nerd end of the spectrum.

Joseph: It's a small group, but it was self-selecting. They kept choosing new members, and over time folks would retire, move on to other things, and new people would come in. It wasn't a constant thing, which I think is really interesting. In some ways, it mirrored the evolution of hackers and security culture, and it sometimes kind of led that evolution.

Joseph: There were times 20 years ago when they were the apotheosis of hacker culture. They were the standard-bearers for this new movement, on a cusp of really great world importance.

Good Life Rules

Joseph: In the beginning, they were just a bunch of teenagers who ran bulletin boards.

Carolyn: And stole calling card numbers.

Joseph: Some came into their possession, yes. One of the things that's interesting that people today don't realize if you’re on the net back in the day, unless your dad or your mom worked at a university, you were a criminal. Because the bulletin boards were frequently in another area code, and long-distance calls were super expensive. Because the connections were slow in those days.

Joseph: You were going to have a mammoth phone bill, which your parents are going to be really displeased about. People did a variety of things. They traded stolen calling card numbers, credit card numbers. They borrowed somebody else's machine remotely, they did all these things. It made for a really interesting development. Because all these people who are now CSOs and CISOs were teenage criminals.

Carolyn: My favorite was that they would just hack the phone companies. That was the best part. I just want to read their rules. Number one, "Be known to an existing member." I found this to be key, Joseph, in your book and in other groups, this being known to an existing member in real life. Then "Don't be boring," that was number two. My favorite one is number three, "Don't be an asshole." These rules, they should really just apply across the board.

Eric: Those are life rules, good life rules?

Joseph: I think that is important. Again, the nickel tour here of the group is they're early bulletin board readers. Then they started writing mostly funny, sometimes obscene, sometimes silly text files, sort of randomly. They went in that direction because they had pretty crappy modems.

The Great Boston Hacking Supergroup

Joseph: All that they could download and upload would be text files. Not even pictures or stolen software or games, which a lot of people were interested in their age.

Joseph: They did these text files, and then they were marketing-savvy, they figured out a way to distribute them. They numbered all the files, so people wanted a complete kit. And they would send them off to various other bulletin board operators. They were first famous as some of the earliest funny text files you would read when you stumbled onto the internet.

Joseph: Then because they were well-known and famous, they got a couple of other shots at evolution. When most bulletin boards went away with the advent of AOL and Windows 95. Because you didn't need bulletin boards, you could have websites but the CDC survived. By that time they had some overlap with the L0pht.

Joseph: These great Boston hackers who famously testified before Congress in '98 that any of them could bring down the internet. They were much more technical people and they had one of the first websites. So they preserved the CDC files.

Joseph: The media was trying to understand this internet thing. By then, CDC was already established as the cultural granddaddy to understand all this stuff. While most hackers were running away from the press, the CDC just loved playing with the press. They got even more attention, more famous. And then these people with very serious hacking skills wanted to join CDC.

Joseph: They became a technical force, and famously released Back Orifice and Bo2k. These tools allowed script kiddies to take over basically any Windows machine, and that forced Microsoft to get more serious about security.

Using Security for a Political Cause

Joseph: Their main peak of fame was 20 years ago. That's also when they brought out the idea of hacktivism. Using security for a political cause, in particular the service of human rights.

Joseph: Knowing each other in real life was super important. One of the reasons that Anonymous, which was much bigger, got amorphous and confusing. Didn’t accomplish as much as they could have because they didn't all know and trust each other. They didn't come from different backgrounds but shared values, which is what made CDC very strong.

Eric: You had to know each other in the physical world. That goes back to trust again. You had to know from a trust perspective who somebody was, before you let them into the society.

Joseph: Oh, the Hong Kong Blondes? Are you talking about Oxblood Ruffin?

Carolyn: Yes. He probably made them up.

Joseph: Either 80 or 100%, yes.

Carolyn: Talk about that a little bit for our listeners.

Joseph: One of the things that broke the CDC into more mainstream attention, aside from the tech community, which already knew about them was the invention of this outfit called the Hong Kong Blondes. To back up a bit, the CDC got to the state where they could force changes at a giant company like Microsoft by their public antics, their technical savvy and their media savvy. Somebody in the book says it's like the dog that caught the car.

Joseph: Instead of giving up, they're like, "Okay, well, let's get in the car and drive it and see what we can do." What happened was that one of their numbers suggested that they move in a general political direction.

The Birth of Hacktivism

Joseph: Not just the company but more broadly political. He picked the perfect initial target, which was the Great Firewall of China. Because there were some people in CDC who worked for the U.S. government. There were some people in the CDC who hated the U.S. government. But nobody liked what China was doing with the Great Firewall and censorship. He encouraged them to plot ways in which hackers could help the people within China. There are a variety of things that could be done.

Carolyn: This is really the birth of hacktivism.

Joseph: This is the beginning of hacktivism. This is like '98, '99, and 2000. The thing that really got the mainstream media attention was this outfit called the Hong Kong Blondes. The Hong Kong Blondes, as described by members of the CDC were a bunch of freedom-loving democracy enthusiasts with tech-savvy that the CDC was advising on how to avoid censorship and avoid detection within China.

Joseph: It was this great, very colorful story, except that only one person had ever claimed to talk to any of them, and that was Oxblood Ruffin. At that point, his real name wasn't out. The details and the origin story of the group shifted over time. Not to ruin the surprise but Oxblood had convinced other people in the CDC that the Hong Kong Blondes were real, but they weren't.

Carolyn: In fact, press releases or articles were released, but the reporters never actually spoke to them.

Joseph: I trace how that happened. Unfortunately, this is something that still happens today, journalism being pretty imperfect and tech journalism may be more than most journalism. The key thing was that there was a young reporter for Wired.

The Hong Kong Blondes

Joseph: He heard the first description of the Hong Kong Blondes when the CDC was speaking at HOPE, Hackers On Planet Earth in New York. He got very excited and pestered Oxblood for more details.

Joseph: Eventually Oxblood gave more details, and that story ran in Wired. Because Wired was really good by the standards of tech journalism, the mainstream press said, "Well, if Wired is saying this is true, then it must be true." Because Wired really did know more than most.

Eric: This is circa 2000-ish. The tech community isn't the same as it is now, 20 years later. It's a lot smaller. A lot fewer sources.

Joseph: There were very few, almost no full-time cybersecurity reporters back then who would have looked askance at this. So it echoed around a lot of the media. Naomi Klein wrote about them for the Toronto Globe and Mail. The Hong Kong Blondes got on the front page of the Los Angeles Times. "Part of the movement of people circumventing Chinese oppressive tech is the Hong Kong Blondes." And the front page of the LA Times, that's not messing around, that's big press.

Carolyn: Which is interesting because one of the things the CDC said was that the greatest threat to security is the poor distribution of real information. Yet they used the distribution of false information.

Joseph: I talked to them a lot about this. This book is the process of years of work and developing greater trust with these folks. It’s also verifying everything they told me very carefully, which is why there are so many footnotes. They came to an evolution. Back at the time, their pranksterism was a big part of it.

Not a Big Fan of Spreading Lies

Joseph: It was part of the hacker thing and pranking the media for a cause was something that they are into. They’re one of the forefathers, foremothers, of the fake news hustling that happens. Unfortunately now to a great extent, including by those in power. In retrospect, their thinking is, if you're going to do a prank like that to draw attention to a serious problem, then it's okay. That's their opinion.

Joseph: A couple of them cited The Yes Men, who are these pranksters that managed to get on the BBC a number of times. One of their most famous stunts is they pretended to be Dow Chemical representatives. They said, "We're going to give everybody in Bhopal billions of dollars to make up for the chemical explosion there." You know, it wasn't true and they hoodwinked the media. But it got people thinking.

Joseph: "Gee, did Dow Chemical actually ever do anything to make up for this terrible thing that happened?" They now feel like that is different from a national government or a major political party spreading lies about the opposition. That's defensible. It might not be. I personally am not a big fan of spreading lies to the media because I'm in the truth business. But I can understand where they're coming from.

Carolyn: You mentioned the critical infrastructure bill, the first one. The Presidential Directive 63 where these guys testified before Congress under their names. Can you talk about that a little bit and why that was so significant?

Joseph: Dick Clark, who was the first White House cyber czar, Richard Clark, was trying to build up political momentum.

Hacking Supergroup That You Could Trust

Joseph: He was trying to build up political momentum like some sort of a federal oversight role to help at least encourage best practices in the industry, to get more attention on security. He was having a hard time because he was reading about all these hackers doing these amazing things. Then he would talk to the CEO of Oracle, the CEO of Cisco, CEO of Microsoft. They're like, "Oh, it's no big deal, this isn't really a problem," and it didn't make sense to him.

Joseph: He went to the FBI and said, "Are there hacking supergroup that you trust that I could talk to, to figure out what is actually possible?" He went up to Boston and went to the L0pht. Talked to them for a while. He saw everything that they could do, and then he huddled with his guys later. And he said, "I thought only a nation-state could do all this stuff that these guys are doing. This is terrifying."

Joseph: To build support and awareness, rather than just have people from the NSA and CIA come in and blather on about how everything was fine, he arranged to have them come to testify to Congress. They agreed to do it only under their hacker handles. The only other time this has happened is maybe like organized crime informants testifying under an assumed name. It's really incredible.

Joseph: There's this famous picture of the seven members of the L0pht at that time. With Mudge with extremely long hair in the middle, looking like Jesus. I've always thought of that picture as like the L0pht supper. This is '98, and they testify that they can bring down the internet. Really good hackers knew that everything was built on sand.

Venture-Backed Hacker Security Boutique

Joseph: The more complicated the software is, the more holes there are. It's indefensible and it's rapidly getting more important. The American public didn't realize that. Watching these guys, really talented hackers telling Congress "What's up?" inspired a lot of people to think that maybe change was coming and that good things could happen.

Joseph: That’s specifically why, when the L0pht turned into at stake, this venture-backed hacker security boutique, people like Alex Stamos came and joined it. He didn't have the sketchy background of the early hackers. But like, "Wow, these are the guys that told Congress what’s up. I want to work for them."

Carolyn: This was in 1998.

Eric: Windows 95 had already come out. People had computers for at least a couple of years.

Carolyn: That same testimony is still taking place today. I don't know what's changed.

Eric: That’s my exact thought. I can't imagine 20 years ago, what it’s like explaining to Congress the world they live in. We see it today, and it's still so foreign to the Congress when they hear people testify.

Joseph: It's gotten better, there are people in Congress with computer degrees. There are people with intelligence agency backgrounds. It's not where it needs to be.

Eric: The staffers have a lot more information, which is where a lot of the movement happens. Society has recognized we do have greater challenges now. Over the last 22 years, the problem has gotten significantly worse also, both in scandal and complexity.

Carolyn: That was part of the weight of the first half of the book. I felt like, "I don't know, that was 1998 and I feel like it's the same story." Which brings me to another dark part of the CDC culture.

Allegations That Hurt the Credibility of Hacking Supergroup

Carolyn: Jake Appelbaum and Julian Assange and several others had sexual harassment allegations brought against them. Do you think those allegations hurt the credibility of these hacker groups?

Joseph: They did. The hacker movement, it's multiple movements, had the Me Too thing just as bad as Hollywood, as bad as anybody. It’s sad, but it's been a male-dominated field for a very long time.

Eric: Still is. A big problem.

Joseph: It's unfortunate because it's a community that welcomes outsiders and misfits, which is good. You want a place where those folks can belong and contribute. Unfortunately, some of the anti-establishment attitude means that really bad behavior gets tolerated.

Joseph: It's against the culture to go to the cops and complain about something or to complain about these figures. Also, there’s a problem with hero worship. Most great stuff is not done by a lone shining individual, it’s done by communities. Hackerdom has learned that, but it's a work in progress. It's a known problem in the labor movement, in the Black Panthers.

Joseph: A lot of anti-establishment outfits over the decades, there’s been really bad sex stuff near the top. They put pressure on people who are victims in saying, "Well, if you bring down Leader X, you're hurting the movement. If you go to the cops, then you're a snitch." They know that. Transgressors have used that to their advantage. Unfortunately, that happened with Jake Appelbaum and others.

Carolyn: We will pick up our conversation with Joe next week. Although we're ending on the underbelly of the CDC, next week we get to my favorite part. The superheroes of CDC, who really might just save the world. Until next week, be kind to yourself, and run your updates.

About Our Guest

 

An investigative reporter for Reuters, Joseph Menn is one of the longest-serving and most respected mainstream journalists in cybersecurity. He has won three Best in Business awards from the Society of American Business Editors & Writers and been a finalist for three Gerald Loeb Awards. He previously worked for The Financial Times, Los Angeles Times and Bloomberg. Has spoken at conferences including Def Con, Black Hat and RSA.

His most recent book, Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World, was published in June 2019. It’s named one of the best 10 nonfiction works of the year by Hudson Booksellers. Inducted into the Cybersecurity Canon Hall of Fame. The Wall Street Journal named it one of the all-time "Five Cybersecurity Books That Everyone Should—and Can—Read."

The New York Times Book Review said: “The tale of this small but influential group is a hugely important piece of the puzzle for anyone who wants to understand the forces shaping the internet age." An adaptation of the book for Reuters revealed that Beto O'Rourke had been a member of the enormously influential group. It drew the most engagement on Reuters.com in its history.