We continue our discussion with Joseph Menn about his latest book, Cult of the Dead Cow which tells the story of the oldest, most respected American hacking group of all time.

Episode Table of Contents

• [00:58] An Abbreviated History of Cybersecurity
• [07:56] Takeaways From the Cult of the Dead Cow
• [16:32] The Cyber Fast Track
• [23:13] The Larger Story of Hacking
• About Our Guest

An Abbreviated History of Cybersecurity

Carolyn: Hi, everyone, I'm Carolyn Ford. Today, Eric and I are back with Reuters investigative reporter Joseph Menn. Joe is one of the longest-serving and most respected mainstream journalists in cybersecurity. He has won three Best in Business awards from the Society of American Business Editors and Writers. He’s been a finalist for three Gerald Loeb Awards.

Carolyn: Today, we pick up where we left off last week. We’ll discuss his latest book Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World. It offers keen insight into hacker culture and an abbreviated history of cybersecurity.

Carolyn: It tells the story of the oldest most respected American hacking group of all time, though until now, it has remained mostly anonymous. Its members invented the concept of hacktivism, released the top tool for testing password security. They created what was for years, the best technique for controlling computers from afar.

Carolyn: With its origins in the earliest days of the internet, the CDC is full of oddball characters, activists, artists, even future politicians. Last week, we ended with the underbelly of the CDC. This week we get to my favorite part, the superheroes of the CDC, who really might just save the world.

Eric: I have a question, white hats or black hats, good or bad? How do they see themselves?

Joseph: I think of them as almost entirely white hats, because it depends which one you ask, they all have individual takes. Most of them would say that they're gray hats, but DilDog, Christien Rioux says that he's a gray hat. He is the guy that wrote BO2K, but he also founded Veracode, which is a billion-dollar company.

There’s No Good or Bad

Joseph: It has helped make God knows how many companies more secure by allowing them to audit the code of the stuff they're getting from vendors. So, if that's a gray hat, that's a pretty high threshold for what a white is.

Eric: How do you measure it and how do you balance the behaviors?

Joseph: It's obvious that Veracode hasn't done anything bad. BO2K you could argue two sides of, but that's one of the things that I love about this group. They leveled up morally or ethically in their behavior.

Joseph: From teenagers mucking around, who are basically amoral when the stakes are super low to, oh my God! Millions of people's security is at stake, billions, we have to do something. Whether it's by private sector volunteerism or working for the government, they kept finding new ways to try to help people.

Eric: And the power and capability to do something good.

Carolyn: He actually has an argument that it's not black and white, there is no good or bad. It's not binary, but there's just this non-binary code of ethics, basically.

Joseph: That's, again, one of the interesting things, and one of the reasons I wanted to write the book. The old school hackers, particularly these guys, but really anybody that goes back far enough to when they were phreaking. Or stealing credit cards or whatever they were doing, had developed their own moral code.

Joseph: And there are some that had no problem stealing from AT&T. There's some, "So, I don't have a problem stealing from AT&T, but I'm not going to steal from my neighbor."

Finding Where the Comfort Place Was

Joseph: There’s some that would say, "Well, if I steal just a little bit from all these different individuals and then do something good, it's okay." There are many places where I wouldn't go, where probably you wouldn't go. You would disagree with the moral codes they came up with. But they all had to put some work into finding one, to finding where their own comfort place was.

Joseph: And I worry very much that that doesn't happen anymore. Because as the industry has matured, as it needed to, and there's formal education, that you could go to. Instead of turning to computers because you had a terrible home life and you were 14 and there was nobody like you to play with.

Joseph: Now, you can go to a nice college and work for a nice big company and do cybery things without ever having gone through this forge process of, should I do this or should I not do this? What are the ethics? That means you can wind up getting sleepwalked into doing something that's bad for your customers, for your company, for society.

Joseph: If you've never really had to think about a back door, and sooner or later, if you're a serious, successful person in the cybers somebody's going to ask you to put in a back door. And if you haven't been through this process yourself or read about it and paid attention to it, you might come up with the wrong answer.

Eric: But, Joseph, could you argue the same thing for a police officer? They're there to protect the banks, they're there to protect society. They know how to do bad things, they see it all the time.

I’m a White Hat, Corporate Sellout

Eric: They probably know really well, how not to get caught. You could almost make the same argument, couldn't you?

Joseph: Yes. So, what would you do with those people? You'd want to have them have, not only formal training on this but philosophical training and peer-reinforced.

Eric: Moral, ethical. Exactly.

Joseph: For many years, hackers are embarrassed to talk about their own morality, except in just generalities. "Information wants to be free." Or, "We're exposing companies that want to hide stuff." I think there really needs to be more detailed discussion of it. One of my favorite talks was one Alex Stamos gave at either Black Hat or Defcon, before Snowden.

Joseph: I think it was before Snowden, either before or right after it, he talked about moral responsibility. It's like a priesthood, we have this specialized knowledge. People depend on us and with that comes responsibility. He put up slides. If, with hypotheticals, you discover that customer information is getting sold out the back door, do you complain to the CEO?

Joseph: Do you resign quietly? Do you resign publicly and expose it? All these different things. And he began the talk by saying, "I'm a white hat, corporate sellout. I went for the money. But if you're going to do that, here are some ways I found you might conduct yourself as ethically as possible."

Joseph: Then, what's later, he actually quit Yahoo because there was a secret court order. All Yahoo email was getting scanned under order of the FISA Court. They hadn't even told the security staff about it. So, he was true to his word and he quit that gig.

Takeaways From the Cult of the Dead Cow

Joseph: There needs to be more speeches like that. More like, "Hate me or love me, this is why I did what I did."

Carolyn: I liked what you said in the epilogue. These were the takeaways for me, but just that, one, develop a moral code. Stick to it, and you can do great things. Two, small groups with shared values can do even more. Three, this is the one I want you to unpack a little bit for me. You said, "Shift toward public interest." Can you talk about that one?

Joseph: Forever there's been a tradition. Hospitals can't turn away people, for the most part, simply because they can't pay. They're expected to take care of people, whether they can pay or not. Lawyers have a pro bono requirement in many cases, but certainly a tradition. They do work for the public interest, for 5% of their time, 10% of the time, whatever it is.

Joseph: Many of these really important professions have that component and tradition and expectation, and there hasn't been that for engineering. For many years, they got a free pass, from society and from the tech workers themselves. Because they were seen as basically helping everybody. And it's hard to understand how.

Joseph: But a few short years ago, pretty much everybody, left, right, Western, Eastern, thought that tech was good. Tech was helping people's lives, almost exclusively. And so, you could work for Facebook or Google or Apple and say, "I make good money. I'm doing interesting work and I'm helping the world. Therefore I don't have to do volunteer stuff on the side."

The Fairytale Ending of Cult of the Dead Cow

Joseph: I don't think anybody thinks that's true anymore. Nobody, universally, thinks that all tech is great, and that tech progress by itself is enough. It’s enough to move the world forward. People on the left hate Big Tech, people on the right help Big Tech. There are skirmishes everywhere, because of the way it was misused in the '16 election.

Joseph: Lots of other things, AI reinforcing racism, the surveillance stuff that is out of control around the world. And that we're only even talking about now because of the BLM movement. There's been a real recalibration and there's self-examination inside the tech industry and pressure from outsiders. Making them take this stuff more seriously, but there could be so much more.

Joseph: There could be a policy, for example, where if Google, where you're allowed to work on a pet project. For 10% of your time or 20%, whatever it is, and they don't allow that for everybody. But why not say, "Also, the 50 best proposals, we go, not to develop a side project for Google.

Joseph: But to go work at the Red Cross or Amnesty International or whatever, the Federal Election Commission." Give those people permission to do that, for a leave, and allow them to come back at their same level and the same salary. That's one way you could do it.

Eric: I love that idea.

Carolyn: This brings me to the fairytale ending of your book, Joseph, which are these guys, these little teenagers. This is what they turned into. They did exactly what you're talking about. Let's talk about Mudge first, I love him. He's now up there on my list.

Joseph: Mudge is a hero.

Make a Dent in the Universe

Carolyn: His motto, if you look him up on Twitter, he says, "Make a dent in the universe. Find something that needs improvement, go there and fix things. If not you, then who?” So, will you talk about him a little bit for me, Joseph?

Joseph: Mudge is a fascinating character. Many in the Cult of the Dead Cow had academic or a computer parents. His dad was a professor that specialized in NASA materials and stuff like that, materials science. He had the most pointy-headed parentage of any of them. A lot of them came from the South, Texas or other obscure places. It wasn’t easy to find communities of like-minded people.

Joseph: He came from Alabama, so extreme, the most extreme in that regard as well. And many of them are interested in music, Beto among them. His bulletin board was largely about finding alternative or punk music. You couldn't find them in mainstream stores or on mainstream radio stations.

Carolyn: Now, we're going to talk more about Beto too, because I'm voting for him. I'm telling you.

Joseph: Mudge was a bonafide musical prodigy. He went to the Berkeley School of Music in Boston, Berkeley with three E's. He’s a guitar prodigy. He was like most of the Cult of the Dead Cow in all of these regards. He was also this frontman, showman type while being just completely brilliant.

Eric: So, computers and music and NASA in the background?

Joseph: Yes.

Eric: For the history.

Carolyn: And DARPA, wait until we get to that.

Joseph: That's where we go. So, fast forward a little bit. He joins the L0pht and then he gets brought in from the L0pht to CDC as well.

Why Are You Writing the Cult of the Dead Cow

Joseph: There are four people who are in the L0pht, that were also in CDC, which is really funny. Because they developed this great good cop, bad cop routine. Where L0pht, while still using pseudonyms and being looked at as suspicious by many in the industry.

Joseph: They were pretty respectable and were seen as neutral. Those are the guys who could testify to Congress. Whereas Cult of the Dead Cow is like their hairy cousins from Texas. That are going to throw raw meat from the stage of Defcon and make a fool of you. And what's weird is, most people didn't realize they were the same people.

Joseph: Even when the book came out, some people on Twitter were like, "Why are you writing about the CDC? L0pht could totally kick their ass." I'm like, "They're the same guys." But anyway, so L0pht begets @stake, which is this pioneering security boutique where they go inside Microsoft.

Joseph: These other big companies that they use to tweak and actually tell them how to do things better. @stake eventually gets bought by Symantec and they scatter, like the Fellowship of the Ring. Mudge does intelligence contracting work.

Joseph: Actually this is an interesting point, so there's a very rough transition from when people try to make a living out of this stuff. When hackers first tried to make a living hacking, the most obvious thing to do is to try and catch other hackers. But that means, you can easily wind up burning your old friends.

Eric: You're rolling over on your own people.

Joseph: There are a number of people that were just a couple of years ahead of the early CDC crowd.

The Cyber Fast Track

Joseph: They did that and it didn't work. They got busted for working with the FBI. "Busted" for working with the FBI or for having known hackers on staff and whatever and those companies didn't go anywhere. Mudge managed to walk the line by figuring he would not name names and working with the cops. But he would talk to the intelligence community. At least, to tell them what was doable and what wasn't.

Joseph: Because he was basically rooting for our country versus other countries. They should at least be making informed decisions about what they should do. He was doing intelligence contracting way back when he was at the L0pht. Later he winds up running DARPA's cybersecurity program, about 10 years ago. For a three year stint, which is normally what DARPA does.

Joseph: During that time he worked on Stuxnetty-like things that he can't talk about. The thing that he did do, that is known in public, is he created something called the Cyber FastTrack. This was great because DARPA, who are the folks that brought you the internet in the first place. Normally gives great pots of money to established companies or universities.

Joseph: And I just want to say, they have the greatest slogan in the history of the Federal Government which is, "Their mission is the creation and suppression of strategic surprise." These are the guys that come up with, in addition to the internet, which is a defensive thing, futuristic weapons, really cool defense and offense.

Eric: Like hypersonic missiles and all kinds of good stuff, lasers, you name it.

Joseph: And a lot of stuff we don't know about yet. So, he's running their cyber program.

The Best Stuff in Cyber

Joseph: But he knows that a lot of the best stuff in cyber is done by two people in a garage or one person, or a small group. There's no way they can even get any federal contract, let alone something from a defensive place like DARPA.

Joseph: So, he convinces DARPA to do away with all the paperwork and do these small grants, like 10K, 20K, 50K, to one or two people to do something, to just try out an idea. He promises a turnaround within 30 days or something, and then they get to keep their IP.

Carolyn: And this is how the Jeep hack, you remember the Jeep hack, Eric, back in, 2011 or something? Where Miller hacked a Jeep.

Joseph: Charlie Miller was one of the recipients of one of the Cyber FastTrack grants. So are a lot of the best hackers, like the stars of Defcon and Black Hat. Those guys got money from Mudge's DARPA.

Carolyn: Is that program still in place today?

Joseph: Not in that form. I think there was permanent progress and you can get smaller amounts of money. But Cyber FastTrack itself, sadly, is gone, when Mudge rotated out. Mudge went on to do special projects at Google and he also created something. I'm going to bungle the name, but it's like a consumer report. A rating system for the security of the code, which is really cool.

Carolyn: Sorry, to just go back to the small programs. I thought you mentioned that it became a blueprint for the DoD.

Joseph: It was spread elsewhere within the Federal Government. But I think DARPA itself does not have that exact thing anymore.

An Overlap Between Napster and Cult of the Dead Cow

Eric: There are different components in the intelligence community, DIU and the government, the Defense Experimental Unit. There are different programs out there where they're dropping small grants or awards to organizations they wouldn't normally work with. They have different levels of success.

Carolyn: So, he's the one that pioneered this?

Joseph: Yes. So, he managed to hack the government in a good way.

Eric: As we're wrapping up here, I have one question I just have to get out. Maybe it's a two-part question, I'll cheat. How and why did they decide to let you in?

Joseph: That's a good question.

Eric: Why the publicity?

Joseph: Well, there are a number of reasons. First of all, they'd read my work, I'm an established guy.

Eric: Long track record.

Joseph: I had written a book on Napster. There's actually overlap between some of the people in Napster and some of the people around CDC. Shawn Fanning was a legit budding young hacker, and he was in hacking groups with some of these folks. So, they had read my Napster book. They'd talked to the people that I'd interviewed, who felt that they were treated fairly and that had gotten it right or whatever.

Joseph: Then, the next book was Fatal System Error. It was the first one to show that there's organized Russian cybercrime with protection by the Russian Government. This terrible force wreaking havoc upon the West. So, I think they appreciated my reporting. I don't think you can understate the importance of the statute of limitations as well.

Eric: So, they were free and clear, you can tell your story without any repercussions?

Joseph: That's right. None of them are murderers.

Overlapping Interests

Carolyn: Which brings us to Psychedelic Warlord. I don't want to leave without talking about him, also known as Beto O'Rourke.

Eric: So, we'll let Joseph finish and I promise you, Carolyn, before we finish, we'll come back to it.

Joseph: Well, let me answer Eric's question more fully. This is a long process and I talked to a few of them. I said, "Look, I'm interested in doing a book and it's going to be generally positive." Because I had already written a book that said, "We're all screwed." Fatal System Error. And that's true, it's still true, but there is good stuff to be done.

Joseph: I don't want people to give up and I want this message to be passed on to younger peoples, so they know, I explained how I worked, I was transparent about my process, which is something I always do. It wound up being more of a joint venture, we have overlapping interests this much. That's what we're going to focus on.

Joseph: I told them I wasn't going to hide any crimes or misbehavior, that I was going to talk about Jacob Applebaum. But the overall message is supposed to be inspiring. They gradually came more and more onboard. Until the point where they all let me use their names, which I did not expect at all, going in.

Carolyn: And Psychedelic Warlord, it was kept really secret until you published this book.

Joseph: I had the scoop myself, it was in the book and it was a fun part of the book. And I held, kept the last page to see whether or not he won this Senate race then he lost that.

The Larger Story of Hacking

Joseph: I'm like, okay, that's the end of the book, turned it in, ready to go, publish. As we worked through the physical process and the copy editing and all that, and then, wait a minute.

Joseph: He's traveling around random states, talking to people and blogging about it. He is not actually done, is he? I saw it was coming and I knew I couldn't. So, I thought he was going to run for president. I had an embargo with him. Because nobody would talk to me about Beto if it was going to screw his chances for running for Senate.

Joseph: I didn't really care about the outcome of a given Senate race. I wanted to tell the larger story of hacking and how it's more public interest. Now people who started out as hackers are trying to have a broader impact in society. So, I made a deal with him.

Joseph: I would not reveal that Beto O'Rourke had been in The Cult of the Dead Cow until after his Senate election. Then afterwards, I could have done it any time and I was saving it for the book. Because it was a cool scoop for the book. But then I'm like, oh my God, he's going to run for president, I can't sit on it.

Joseph: I can't have, not only the first-ever hacker run for president. Not only a hacker who’s an early member in the most influential hacking group of all time, in the United States. But also the guy that gender-integrated the most influential US hacking group of all time. I can't sit on that. So, I prepared a story and we let the first day's worth of coverage.

We’re in a Mess Right Now

Joseph: So that everybody knew about who Beto O'Rourke was. That he was in the race, he was coming in pretty high up. Second to Biden, or third, or whatever he was. we dropped a 3,000 word story on Reuters about him in the CDC. We said, "This is from the upcoming book." That story was the most read story in the history of reuters.com.

Carolyn: Great ending to the book. It did leave me with a lot of hope. I really loved this idea that you end the book with, "That seriously applied thinking should be treated as a form of critical infrastructure."

Joseph: Because we're in a mess right now. People believe that the world is flat. They don't see why masks will help protect you from COVID. There's all this terrible stupidity out there, that's being promoted for money or for political reasons. Or just generally due to the failure of our education system. And to me, really good hackers, any hacker who's any good is a critical thinker.

Joseph: You're looking at a system the way it didn't want to be looked at, and you're trying to find flaws with it. That's something to be prized and encouraged, that's how progress happens. If I can't change the American educational system or the way social media spreads crap. I can at least hold up these people as paragons of critical thinking. Some kind of moral cause and adaptability to new challenges and new platforms.

Carolyn: That's definitely the way the book left me. Thank you, Joseph, for spending some time with us. Thanks to our listeners for being part of To The Point Cybersecurity, subscribe wherever you get your podcasts. Until next week, be kind, wear a mask, run your patches.

About Our Guest

An investigative reporter for Reuters, Joseph Menn is one of the longest-serving and most respected mainstream journalists in cybersecurity. He has won three Best in Business awards from the Society of American Business Editors & Writers and been a finalist for three Gerald Loeb Awards. He previously worked for The Financial Times, Los Angeles Times and Bloomberg. Has spoken at conferences including Def Con, Black Hat and RSA.

His most recent book, Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World, was published in June 2019. It’s named one of the best 10 nonfiction works of the year by Hudson Booksellers. Inducted into the Cybersecurity Canon Hall of Fame. The Wall Street Journal named it one of the all-time "Five Cybersecurity Books That Everyone Should—and Can—Read."

The New York Times Book Review said: “The tale of this small but influential group is a hugely important piece of the puzzle for anyone who wants to understand the forces shaping the internet age." An adaptation of the book for Reuters revealed that Beto O'Rourke had been a member of the enormously influential group. It drew the most engagement on Reuters.com in its history.