Special Edition – Cult of the Dead Cow author Joseph Menn extended interview

hello everyone and welcome to this special cyber wire extended interview I'm Dave Bittner this cyber wire special edition is made possible by proactive risk pen test on was incubated by proactive risk at the New York University veterans future lab and launched at blackhat Def Con and test on is a cybersecurity vulnerability assessment workbench also known as a hacking platform that's used by individuals businesses and service providers pen test on quickly snaps into a pre-configured cyber range allowing easy selection of the right tool for the job engage a single system or multiple targets to determine if identified technical risk presents a threat to your business for large projects collaborate with multiple team members and import and enter manual findings to a centralized QA resource for a test drive visit apt for higher com to examine your internet attack surface today that's apt the number for hir e.com and we thank proactive risk for sponsoring our show my guest today is joseph menn he's a long-time investigative reporter on technology issues currently working for Reuters in San Francisco he's the author of several books the latest of which is titled cult of the dead cow how the original hacking supergroup might just save the world so I picked the call to the dead cow because I was looking to write something sort of more positive about the industry and give give folks an idea of of what can be accomplished because sometimes you know having covered cybersecurity for 20 years it can be it can be awfully grim the architecture of the Internet is against you this sort of software business market is against you and geopolitics are against you so I know this because I you know I've written about it extensively and my previous book fatal system error was about that and in particular I singled out the Russian government's alliance with organized criminal hacking gangs but you know that was to illustrate the the broader point of how dire the situation was and that came out in 2010 and since then there have been other books that have pointed to one or another aspect of how terrible things are and I could have done another one of those but instead I wanted to find something it was hopeful you know something that was truthful and important but would give give a bit of a road map of how to how to fight this this terrible thing and it so happens this group the cult of the dead cow was perfect for the story because they go back 35 years through every iteration of you know the internet really and and have had just this extraordinary influence well beyond they're sort of like blip of Fame for a few years 20 years ago they've just they've just done amazing stuff well let's go back to the very beginning then what are the origins of the group itself so the cultivated cow was born in Lubbock Texas in either 1984 1986 and it started out in the in the Bolton board era where people had 300 baud modems and it in order to connect online it was a tremendous effort and not very satisfying and so it was these guys the originals were you know young teenagers 11 12 13 you know they've gotten kicked out of the sort of like the local bulletin board for being like too young and ignorant so they wanted to be elite by themselves so they created their own bulletin boards one of them was Eamon Rocha underground so that was the home board of the kid who took the name swamp rat which was later more grand delicately named grand master wrap his real name I put in the book is Kevin wheeler and you know he was a misfit most of these kids are misfits they're smart but they didn't you know fit in with the culture in in Texas and they they're really desperate to communicate with each other so they have these balton boards and back at back then frequently only one person could connect at a time right right and so it was really it was really tedious so yeah so – by necessity the early folks are early tech adopters because it they're the ones who would have put up with it and so the actual name itself is there any record of how it was coined sure sure so there was a a creepy abandoned slaughterhouse in Lubbock and so that's where the idea of the dead cow came from and you know we're talking about teenage boys here and they wanted to be edgy or nobody would show up so there was like there was another board called KGB and you know it was just part of the shtick and you know they wanted to they wanted to seem a little a little edgy or nobody would pay attention so they start I guess they they build this sort of virtual Clubhouse for themselves and their their other group of friends that they gather together here so how do then does it evolve – for common activities and and you know the efforts that they're making as a group right so there are a number of keys or Trangia strands ish ins in the beginning what brings them together these the this group of you know independent bulletin board operators wear the clothes the dead cow text files so text files are just essays that could be fiction that could be nonfiction they could be about in the in the case the CDC some of them were about hacking and some of them were just you know funny so it was sort of like underground paper like underground newspaper high school underground newspaper type stuff some of them were political but they frequently funny and sometimes they are obscene they distributed them you know to other bulletin boards and there were a lot of like important like sir marketing decisions that the group made and one of them was to number these text files other bulletin boards would want to have on hand like CDC you know numbers 1 through 10 or so forth you know they didn't they wanted a complete set and so while other many other book boards did text files the CDC ones got spread pretty widely and and got you know famous for that era of the internet another really big transition happened because one of the early members was a kid named Jesse Dryden whose handle was obscene and so I won't mention it here but the first part of it was drunk and Jesse Dryden founded one of the earliest hacking conferences called you came to be known as hoho Khan beginning in 1990 it was over Christmas break and it was originally called Xmas Con and it has the claim to be the first modern hacker con in that it invited cops in the press previously cops had showed up to hacking conferences on to cover and try to build cases against and/or arrest for the other folks there this is sort of like a turning point where it got to be more open and ho-ho con brought together not just other sort of like you know kids who are interested in this stuff but really much more technologically advanced hackers including a troupe from Boston in the early 90s who would be or already were in the loft which is this iconic first shirt shared hacker space and had had some of the leading you know leading technical minds of that generation and so as the group grows or are they putting any sorts of guardrails on themselves it when I'm thinking of you know dealing with things that might be illegal you know I remember back in the those BBS days you know phone phreaking was a popular thing because you had to deal with things like long distance charges was there tolerance of that sort of thing or did they did they self police themselves how did it worse so this is this is very interesting and I go into this in quite a quite a lot of detail in the book in the beginning everybody was stealing long-distance service because if the bulletin board wasn't in your area code then you had to pay long-distance fees where your parents had to pay a long-distance fees in order to connect and you know these you you're going to be online for a while particularly if you're trying to download anything program a game anything like that you're going to be connected for a long time much much longer than you would be to just chat to your cousin or some friend on the other side of town so these kids were all looking at multi hundred dollar phone bills and the parents would cut them off after one month of that so they basically all scrambled to get calling card codes credit card numbers or other ways illicit ways to connect online and so this book made some news in part you know a few months ago because I revealed that Barrow Rourke who had just declared for president had been a member of so you see back in the day and yes he admitted to stealing long distance service so he was we now have the first actual hacker running for the United States president which is still kind of mind-blowing even though I've known about it for a while it still blows my mind but so there was kind of this moral forge that happened where everybody had to consider you know what was okay about breaking the law and was it better was it okay morally some for some reason to steal from AT&T because they're you know they did you know you did disapprove to them politically or they're a monopoly or whatever and people you know it's it's hard to justify as an adult but you know when you're 13 and you really really want to connect you're going to cut some corners but what's interesting to me is that people do their own moral lines there was this why there was a wide variety some of the people in CDC did many more things that were considered criminal but it was never a focal point of the group and it was for some others like Legion of Doom Masters of Deception quite famously and they were breaking into all kinds of stuff and and you know hacking each other in pretty serious ways you know which led to a lot of them being arrested and that was never what CDC was about but I think one of the most interesting things is that these guys who sort of grew up with you know figuring out knowing exactly where the law was and deciding in some cases where to that line actually makes them more reflective about what is appropriate what is and then the clean-cut kids they're just coming into cybersecurity today they went to a like a nice College they went for a big company and just start doing cybersecurity things those people can be kind of sleepwalked into doing things that they might later think is a bad idea there's a scene in the book where Mudge one of the most famous members of CDC is a DARPA the folks have brought you the internet and for a while there he was running their cybersecurity grant making program and people because he was a serious very serious talented hacker and author of hacking tools people in the intelligence agencies Rast I'm like hey can't we just go do this and much would say well you could sure and that's illegal and even to talk about it is illegal and it's also wrong so don't do that so because the intelligence guys were always under the a very far removed from scrutiny they had the same issue as some but some young corporate type you know they're layer lawyers and they don't have to worry about this off they just say oh think of stuff they can do they'd only have to be sort of like the one-man band thinking about the legal aspects and the moral aspects that the old-school hackers were yeah is someone going to be come knocking on my door or even worse on my parents door or packing the heck out even revenge I mean there are lots of moves it was much harder a lot of these guys you know had to fend off rival hacking groups and stuff like that but it was um you know it's in part because the internet was new and it wasn't as compartmentalized as it is now I mean they're people who specialized just in hardware hacking who don't know much about software and and there are people who specialized in one you know just operating systems and don't know about other stuff so I mean it's that's there's also something lost there these guys a lot of them were really generalists and we're really curious about other parts of the security setup and you know one of the things I admire about CDC is that they went beyond the technical stuff and sort of approached the media and and politics with that same sort of critical hacker mindset way you know we need to make things better writ large and maybe we don't know anything about how Congress works but we'll figure it out if we have to what was the hierarchy within the group itself was there was there leadership were there folks who were clearly in charge yes so Grand Master rat who started the group had two people he considers co-founders but they both disappeared within of the first few years so it's really been Kevin show the entire time since then since the mid 80s at least since the late 80s but he's interesting so he has this amazing sir stage presence and he you know he describes himself as like a hype man most people got too many people got to hear about CDC in the late 90s when they're sort of at their height of Fame and for two successes successive years at Def Con they put out these trojans that allowed script kiddies to break into any Windows box and they did it for a completely justifiable reason which was to force the monopoly Microsoft actually takes security more seriously because regular criminals could always already break into all these machines and Microsoft wasn't doing anything about it so they wanted to make a spectacle and embarrass Microsoft and the media into taking security more seriously but the guy Kevin wheeler was the one that was pacing the stage with the cowboy hat and chaps and doing a call in response to the crowd and like sort of playing hacker villain for the cameras so it's always been his show but he is actually in person something of a recluse he lives in New York now he never talks about this stuff it was very hard to get him to talk to me he's not sort of running it day-to-day I would say there are there are a few people who joined in the early 90s who are the sort that this or the cultural leaders of the group you know there's there some that are more active than others the whole over the whole life of the group they've been maybe 50 members but they're only around 20 that are active at any one time people go in and out but I among the people who were the biggest sort of disre cultural leaders are Luke Ben Phi has the name death vegetable or death veggie and Omega whose real name is Misha kubecka he was the the text file editor for many years and so L the CBC text file went through him and death AG I think he took the title minister of propaganda so he was the one that sort of took the lead and doing with the media yeah and I have to wonder I mean it strikes me that as a group like this that starts out with a bunch of people who are teenagers and and you know young adults that it can survive this long that it can survive that initial group going into adulthood and having to face all the things that all of us do is we become adults with bills to pay and families and and so on and so forth that it's been able to survive those changes I think is quite remarkable it's not unremarkable it's unique there there is no other us acting group does that anything like that kind of a career and and again they sort of it's funny depending on somebody's age and when they came into the scene you know some people will say oh yeah CDC no when I first got online those the first text files I saw another people that came in a little later it's like oh yeah I was just starting to hack and the first tool I used was back orifice which was one of one of those publicly released anti Windows tools and then other people who say oh yeah the first thing I heard about them was I was into politics and I heard about this thing called hacktivism which is something that the CDC invented so all these successive phases of security work or so internet culture the CDC was in the forefront and they just they just kept making those transitions so after the years of 2000 2001 you know and they've been in the spotlight for years then they you know most of them at that point are running businesses or out of security or they're into something else and so the spotlight moves off them but they keep doing these amazing things so much goes into the government where he creates the cyber fast track and gives small amounts of DoD money to promising individual hackers like Charlie Miller which had never been done before some of them form at stake this the seminal sort of hacker boutique that sends people inside Microsoft and all these other big companies and really helps that help show them like where they're doing security wrong and then the sort of like that the hacktivism activist wing led by a guy who was using the name oxblood Ruffin his real name is Larry Brown inspires major developments in tor the privacy tool since endorsed by Edward Snowden aids in the the the sort of thinking around this the creation of the citizen lab which today is still the world leader in tracking how governments are using technology against their own citizens so it's just it's this amazing run against what still seems like an impossible field to make a real difference in they kept doing it and they did it in multiple ways has there ever been much diversity in the group or were there any women in any any minorities that were members not as much as the group itself with like there's one email Kevin sent to the group that said you know why are we 95 percent white males you know that was a problem in the industry as a whole and it was a problem in CDC and there are some people that they definitely should have invited in that they did not but they did invite in lady Carolyn whose real name is Carrie Campbell and that was at the behest of beta or Roark way back when they were just both board kids so that made the CDC one of the very few hacking groups to that old to have a full member who is a woman and I think it you know I think that's pretty interesting that you know better work from Texas you know did that instead of just keeping it a guys club there was a one hacker of of Indian descent and then I guess in a sense you could say that one of their members craft cat was a pansexual and multiracial but that's only because grass cat is fictional when they were really embarrassed about some hack or some file instead of using their real handles they were just attributed to crest cast interesting now the subtitle of the book is how the original hacking supergroup might just save the world tell me about that why what's what's your notion here that they could be the group to to save the world well they've already done as I you know vout1 some pretty amazing things right so there's at stake which included people like Alex Stamos who went inside and became chief security officer at Yahoo which he left on principle after a secret court order asked for Yahoo to turn over is to search all of its users emails for something and then he went inside Facebook as chief security officer and blew the whistle and Russian election interference so I think historically a very important move also from at stake we get window Snyder who was the driving force between windows xp service pack 2 and Microsoft which was a great leap forward in Microsoft security and then there's Katie matharis who is sort of known I guess as the like a godmother of the bug bounty movement she got Microsoft to pay its first bug bounties got the Pentagon to pay hackers who were also working within you know a friendly framework and then there's Vera code so Chris rue the same guy who wrote back orifice 2000 of the 99 sequel to back orifice founded Vera code with another member of the loft Chris Hoy Soho and Vera code was the loud big software buyers to see what the binaries in the code that they paid for were actually doing as opposed to just looking of what the source code thought they should be doing and that really was another way to tip the scales away from the software oligopolies and monopolies to the customers who have been generally left in the dark and with very little recourse so there are those things there's the entire hacktivists movement which continues to this day in various flavors but I think really more than anything it's the idea of critical thinking that hackers as sort of outsiders and critical thinkers have tremendous value for society something a better work has cited in his interviews with me and this sort of sense of moral purpose and I think big tech is in a lot of trouble right now not just security but big tech is in a lot of trouble right now because it's lost touch with those roots with the sense of of technology being something that is supposed to make people's lives better it's been about you know improvements in technology and about profit and it hasn't really been about helping people and that's becomes for more and more clear in the past two years as Facebook has become a playground for organized disinformation as you know all the other tech companies are either helping the Pentagon with artificial intelligence or facial surveillance for the cops or making deals with China there all these major moral calls that have upset the workforce inside these companies and you observed this unprecedented rank-and-file activism now and I think a lot of that is because the people running these companies we're not didn't go through this sort of moral Forge that the old-school hackers did they're making some bad calls here and so I think the way these guys saved the world in theory is that the rank-and-file and the leaders of these companies so revisit the importance of ethics and what they do and there are a lot of other things that can happen as well engineering schools these days require typically a philosophy course but that can mean that you know an EE student takes a course in Plato what should happen is that they should require case studies the way that business schools do and so you learn from for example the Challenger disaster where they interview everyone afterwards and they said well the engineers said what I felt this pressure to act like a manager instead of an engineer and that's why I let this launch go forward even though I knew it was probably going to end in disaster or had a good chance of ending in disaster so the engineering schools can do things better and the the professional associations I Triple E ACM all these groups can have more elaborate ethical codes they can have sort of continuing education requirements and it needs to be sort of like a pro bono tradition like there is in law and medicine all that is really doable and I think really necessary if tech is going to pull itself out of the mess it's in like that well the book is the cult of the dead cow joseph menn thanks so much for joining us thanks for having me

Leave a Reply

Your email address will not be published. Required fields are marked *