Our guest today is Joseph Menn. He’s a longtime investigative reporter on technology issues, currently working for Reuters in San Francisco. He’s the author of several books, the latest of which is titled Cult of the Dead Cow - How the original hacking supergroup might just save the world.
Dave Bittner: [00:00:03] Hello, everyone, and welcome to this special CyberWire extended interview. I'm Dave Bittner. This CyberWire special edition is made possible by Proactive Risk. PENTESTON was incubated by Proactive Risk at the New York University Veterans Future Lab and launched at Black Hat Def Con. PENTESTON is a cybersecurity vulnerability assessment workbench, also known as a hacking platform, that's used by individuals, businesses and service providers. PENTESTON quickly snaps into a pre-configured cyber range, allowing easy selection of the right tool for the job. Engage a single system or multiple targets to determine if identifying technical risk presents a threat to your business for large projects, collaborate with multiple team members, and import and enter manual findings to a centralized QA resource. For a test drive, visit apt4hire.com to examine your internet attack surface today. That's APT, the number 4 h-i-r-e dot com. And we thank Proactive Risk for sponsoring our show.
Dave Bittner: [00:01:12] My guest today is Joseph Menn. He's a longtime investigative reporter on technology issues, currently working for Reuters in San Francisco. He's the author of several books, the latest of which is titled, "Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World."
Joseph Menn: [00:01:30] So I picked the Cult of the Dead Cow because I was looking to write something more positive about the industry and give folks an idea of what can be accomplished, because sometimes, you know, having covered cybersecurity for twenty years, it can be it can be awfully grim. The architecture of the Internet is against you. The sort of software business market is against you. And geopolitics are against you.
Joseph Menn: [00:01:54] So I know this because, you know, I've written about it extensively. And my previous book, Fatal System Error was about that. And in particular, I singled out the Russian government's alliance with organized criminal hacking gangs. But, you know, that was to illustrate the broader point of how dire the situation was. And that came out in 2010. And since then, there have been other books that have pointed to one or another aspect of how terrible things are.
Joseph Menn: [00:02:22] And I could have done another one of those. But instead, I wanted to find something that was hopeful, you know, something that was truthful and important, but would give a bit of a roadmap of how to fight this this terrible thing. And it so happens there's this group called The Dead Cow was perfect for the story, because they go back thirty-five years through every iteration of the Internet, really, and have had just this extraordinary influence well beyond their sort of like blip of fame for a few years, twenty years ago. They've just done amazing stuff.
Dave Bittner: [00:02:56] Well, let's go back to the very beginning, then. What are the origins of the group itself?
Joseph Menn: [00:03:02] So the Cult of the Dead Cow was born in Lubbock, Texas, in either 1984 or 1986, and it started out in the in the bulletin board era, where people had 300 baud modems, and in order to connect online - it was a tremendous effort and not terribly satisfying. And so it was these guys, the originals were, you know, young teenagers, 11, 12, 13. You know, they'd gotten kicked out of the local bulletin board for being too young and ignorant. So they wanted to be elite by themselves. So they created their own bulletin boards. One of them was Demon Roach Underground.
Joseph Menn: [00:03:43] So that was the home board of the kid who took the name Swamp Rat, which was later more eloquently named Grandmaster Rat. His real name I put in the book is Kevin Wheeler. And you know, he was a misfit. Most these kids are misfits. They're smart, but they didn't fit in with the culture in Texas, and they're really desperate to communicate with each other. So they have these bulletin boards. And back then, frequently, only one person could connect at a time.
Dave Bittner: [00:04:11] Right. Right.
Joseph Menn: [00:04:12] And so it was really it was really tedious. So by necessity, the early folks are early tech adopters, because they're the only ones who would have put up with it.
Dave Bittner: [00:04:22] And so the actual name itself, is there any record of how it was coined?
Joseph Menn: [00:04:26] Sure. Sure. So there was a creepy abandoned slaughterhouse in Lubbock, and so that's where the idea of the dead cow came from. And, you know, we're talking about teenage boys here, and they wanted to be edgy or nobody would show up. So there was another board called KGB, and, you know, it was just part of the shtick. And, you know, they wanted to seem a little a little edgy or nobody would pay attention.
Dave Bittner: [00:04:52] So they start - I guess they build this sort of virtual clubhouse for themselves and their other group of friends that they gather together here. So how then does it evolve to common activities and efforts that they're making as a group?
Joseph Menn: [00:05:09] Right. So there are a number of key transitions. In the beginning, what brings them together - this group of, you know, independent bulletin board operators - were called The Dead Cow text files. So text files are just essays - they could be fiction, they could be nonfiction, they could be about, and in the case of the CDC, some of them were about hacking and some of them were just, you know, funny. It was sort of like underground paper, like underground newspaper, high school underground newspaper type stuff. Some of them were political. They were frequently funny, and sometimes they were obscene. They distributed them, you know, to other bulletin boards. And there were a lot of important sort of marketing decisions that the group made, and one of them was to number these text files. Other bulletin boards would want to have on hand, like, CDC numbers one through ten, or so forth. You know, they wanted a complete set. And so, while many other bulletin boards did text files, the CDC ones got spread pretty widely and got, you know, famous for that era of the Internet.
Joseph Menn: [00:06:10] Another really big transition happened because one of the early members was a kid named Jesse Dryden, whose handle was obscene, and so I won't mention it here, but the first part of it was "drunk." And Jesse Dryden founded one of the earliest hacking conferences called - it came to be known as HoHoCon, beginning in 1990. It was over Christmas break and it was originally called XmasCon. And it has the claim to be the first modern hacker con, in that it invited cops and the press. Previously, cops had showed up to hacking conferences undercover and tried to build cases against and or arrest the other folks there. This is sort of like a turning point where it got to be more open. And HoHoCon brought together not just other sort of, you know, kids who were interested in this stuff, but really much more technologically advanced hackers, including a troupe from Boston in the early 90s who would be or already were in the Loft, which is this iconic first shared hacker space, and had had some of the leading technical minds of that generation.
Dave Bittner: [00:07:19] And so, as the group grows or are they putting any sorts of guardrails on themselves? I'm thinking of, you know, dealing with things that might be illegal. You know, I remember back in those BBS days, you know, phone phreaking was a popular thing, because you had to deal with things like long distance charges. Was there tolerance of that sort of thing? Or did they did they self-police themselves? How did it work?
Joseph Menn: [00:07:46] So this is very interesting, and I go into this in quite a lot of detail in the book. In the beginning, everybody was stealing long distance service, because if the bulletin board wasn't in your area code, then you had to pay long distance fees, or your parents had to pay long distance fees, in order to connect. And, you know, these - you're going to be online for a while, particularly if you're trying to download anything, a program, a game, anything like that. You're going to be connected for a long time, much longer than you would be to just chat to your cousin or some friend on the other side of town. So, these kids were all looking at multi-hundred dollar phone bills, and the parents would cut them off after one month of that. So they basically all scrambled to get calling card codes, credit card numbers, or other ways, illicit ways to connect online.
Joseph Menn: [00:08:36] And so this book made some news in part, you know, a few months ago, because I revealed that Beto O'Rourke, who had just declared for president, had been a member of CDC back in the day. And yes, he admitted to stealing long distance service. So he was - we now have the first actual hacker running for the United States president, which is still kind of mind blowing, even though I've known about it for a while, it still blows my mind.
Joseph Menn: [00:09:00] But so, there was kind of this moral forge that happened, where everybody had to consider what was OK about breaking the law, and was it better - was it OK morally for some reason to steal from AT&T? Because they're, you know, they did - you disapproved of them politically or they're a monopoly or whatever. And people, you know, it's hard to justify as an adult. But, you know, when you're thirteen and you really, really want to connect, you're - oh, I need to cut some corners.
Dave Bittner: [00:09:28] Right.
Joseph Menn: [00:09:29] But what's interesting to me is that people drew their own moral lines. There was a wide variety. Some of the people in CDC did many more things that were considered criminal. But it was never a focal point of the group. And it was for some others, like Legion of Doom, Masters of Deception, quite famously. And they were breaking into all kinds of stuff and, you know, hacking each other in pretty serious ways, which led to a lot of them being arrested. And that was never what CDC was about.
Joseph Menn: [00:09:56] But I think what the most interesting things is that these guys who sort of grew up with, you know, figuring out, knowing exactly where the law was and deciding in some cases where to cross that line actually makes them more reflective about what is appropriate and what isn't than the clean-cut kids that are just coming into cybersecurity today, that went to a nice college and went for a big company and just start doing cybersecurity things. Those people can be kind of sleepwalked into doing things that they might later think is a bad idea.
Joseph Menn: [00:10:29] There's a scene in the book where Mudge, one of the most famous members of the CDC, is at DARPA, the folks who brought you the Internet. And for a while there he was running their cybersecurity grant-making program. And people - because he was a serious, very serious, talented hacker and author of hacking tools - people in the intelligence agencies would asked him, like, hey, can't we just go do this? And Mudge would say, well, you could, sure, and that's illegal, and even to talk about it is illegal, and it's also wrong, so don't do that. So because the intelligence guys were always under the - were very far removed from scrutiny, they had the same issue as some but some young corporate type. You know, they are lawyers and they don't have to worry about this stuff, they just they think of stuff they can do. They don't have to be sort of like the one man band thinking about the legal aspects and the moral aspects that the old school hackers were.
Dave Bittner: [00:11:21] Yeah, is someone going to come knocking on my door, or even worse, on my parents door?
Joseph Menn: [00:11:24] Or hacking the heck out of you in revenge.
Dave Bittner: [00:11:27] Right.
Joseph Menn: [00:11:26] I mean, there are lots of moves - it was much harder. A lot of these guys, you know, had to fend off rival hacking groups and stuff like that. But it was, you know, it's in part because the Internet was new, and it wasn't as compartmentalized as it is now. I mean, there are people who specialize just in hardware hacking who don't know much about software. And there are people who specialize in one, you know, just operating systems and don't know about other stuff. So, I mean, it's - there's also something lost there. These guys, a lot of them, were really generalists, and were really curious about other parts of the security setup. And, you know, one of the things I admire about CDC is that they went beyond the technical stuff, and sort of approached the media and politics with that same sort of critical hacker mindset where, you know, we need to make things better writ large. And maybe we don't know anything about how Congress works, but we'll figure it out if we have to.
Dave Bittner: [00:12:22] What was the hierarchy within the group itself? Was there leadership? Were there folks who were clearly in charge?
Joseph Menn: [00:12:29] Yes. So, Grandmaster Rat, who started the group, had two people he considers co-founders, but they both disappeared within the first few years. So it's really been Kevin's show the entire time, since the mid 80s - at least since the late 80s. But he's interesting. So he has this amazing stage presence and, you know, he describes himself as, like, a hype man. Most people got to - many people got to hear about CDC in the late 90s when they were sort of at their height of fame, and for two successive years at Def Con, they put out these Trojans that allowed script kiddies to break into any Windows box. And they did it for a completely justifiable reason, which was to force the monopoly of Microsoft to actually take security more seriously. Because regular criminals could already break into all these machines, and Microsoft wasn't doing anything about it. So they wanted to make a spectacle and embarrass Microsoft in the media into taking security more seriously.
Joseph Menn: [00:13:30] But the guy, Kevin Wheeler, was the one that was pacing the stage with a cowboy hat and chaps, and doing a call and response to the crowd, and sort of playing hacker villain for the cameras. So it's always been his show, but he is actually, in person, something of a recluse. He lives in New York now. He never talks about this stuff. It was very hard to get him to talk to me. He's not sort of running it day-to-day. I would say there are a few people who joined in the early 90s who are the sort that sort of the cultural leaders of the group.
Joseph Menn: [00:14:04] You know, there are some that are more active than others. Over the whole life of the group, there've been maybe fifty members, but they're only around twenty that are active at any one time. People go in and out, but among the people who are the biggest sort of cultural leaders are Luke Benfey, who has the name Deth Vegetable or Deth Veggie. And Omega, whose real name is Misha Kubecka. He was the text file editor for many years, and so all the CDC text files went through him. And Deth Veggie - I think he took the title "Minister of Propaganda." So he was the one that sort of took the lead in dealing with the media.
Dave Bittner: [00:14:42] Yeah, and I have to wonder, I mean, it strikes me that as a group like this that starts out with a bunch of people who are teenagers and young adults, that it can survive this long, that it can survive that initial group going into adulthood and having to face all the things that all of us do as we become adults, with bills to pay, and families, and so on and so forth - that it's been able to survive those changes, I think is quite remarkable.
Joseph Menn: [00:15:14] It's not only remarkable, it's unique. There is no other US hacking group that has had anything like that kind of a career. And again, it's funny - depending on somebody's age and when they came into the scene, you know, some people will say, oh, yeah, CDC, when I first got online, those are the first text files I saw. And other people that came in a little later, it's like, oh, yeah, I was just starting to hack, and the first tool I used was Back Orifice - which was one of one of those publicly released anti-Windows tools. And then other people who say, oh, yeah, the first thing I heard about them was - I was into politics and I heard about this thing called hacktivism, which is something that the CDC invented. So all these successive phases of security work or Internet culture, the CDC was in the forefront, and they just kept making those transitions.
Joseph Menn: [00:16:06] So, after the years of 2000, 2001, you know, and they've been in the spotlight for years, then they, you know, most of them at that point are running businesses or out of security or they're into something else, and so the spotlight moves off them. But they keep doing these amazing things. So, Mudge goes into the government, where he creates the Cyber Fast Track and gives small amounts of DOD money to promising individual hackers like Charlie Miller, which had never been done before. Some of them form @stake, this the seminal sort of hacker boutique that sends people inside Microsoft and all these other big companies, and really helps show them where they're doing security wrong. And then there's sort of like the hacktivism activist wing led by a guy who is using the name Oxblood Ruffin, whose real name is Laird Brown, inspires major developments in Tor - the privacy tool since endorsed by Edward Snowden - aids in the sort of thinking around the creation of the Citizen Lab, which today is still the world leader in tracking how governments are using technology against their own citizens. So it's just - it's this amazing run against what still seems like an impossible field to make a real difference in. They kept doing it, and they did it in multiple ways.
Dave Bittner: [00:17:21] Has there ever been much diversity in the group? Were there any women? Any minorities that were members?
Joseph Menn: [00:17:28] Not as much as the group itself would like. There's one email Kevin sent to the group that said, you know, why are we ninety-five percent white males? That was a problem in the industry as a whole, and it was a problem in CDC. And there are some people that they definitely should have invited in that they did not. But they did invite in Lady Carolin, whose real name is Carrie Campbell. And that was at the behest of Beto O'Rourke, way back when they were just bulletin board kids. So that made the CDC one of the very few hacking groups that old to have a full member who is a woman. And I think, you know, I think that's pretty interesting that, you know, better work from Texas did that instead of just keeping it a guys club. There was one hacker of Indian descent.
Joseph Menn: [00:18:22] And then I guess in a sense, you could say that one of their members, Crass Cat, was pansexual and multiracial, but that's only because Crass Cat was fictional. When they were really embarrassed about some hack or some file, instead of using their real handles, they would just attribute it to Crass Cat.
Dave Bittner: [00:18:40] Interesting. Now, the subtitle of the book is "How the Original Hacking Supergroup Might Just Save the World." Tell me about that. What's your notion here that they could be the group to save the world?
Joseph Menn: [00:18:54] Well, they've already done, as I've outlined, some pretty amazing things, right? So, there's @stake, which included people like Alex Stamos, who went inside and became chief security officer at Yahoo, which he left on principle after a secret court order asked for Yahoo to turn over - to search all of its users emails for something. And then he went inside Facebook as chief security officer and blew the whistle on Russian election interference. So I think, historically, a very important move.
Joseph Menn: [00:19:26] Also from @stake, we get Window Snyder, who was the driving force between Windows XP Service Pack 2 and Microsoft, which was a great leap forward in Microsoft security. And then there's Katie Moussouris, who is sort of known, I guess, as the godmother of the bug bounty movement. She got Microsoft to pay its first bug bounties, got the Pentagon to pay hackers who were also working within a friendly framework.
Joseph Menn: [00:19:54] And then there's Veracode. So Chris Rioux, the same guy who wrote Back Orifice 2000, the 99 sequel to Back Orifice, founded Veracode with another member of the Loft, Chris Wysopal. And Veracode allowed big software buyers to see what the binaries in the code that they'd paid for were actually doing, as opposed to just looking at what the source code thought they should be doing. And that really was another way to tip the scales away from the software oligopolies and monopolies to the customers who have been generally left in the dark and with very little recourse.
Joseph Menn: [00:20:29] So, there are those things. There's the entire hacktivist movement, which continues to this day in various flavors. But I think really more than anything, it's the idea of critical thinking, that hackers, as sort of outsiders and critical thinkers have tremendous value for society - which is something that Beto O'Rourke has cited in his interviews with me - and this sort of sense of moral purpose.
Joseph Menn: [00:20:51] And I think big tech is in a lot of trouble right now, not just security, but big tech is in a lot of trouble right now, because it's lost touch with those roots, with the sense of technology being something that is supposed to make people's lives better. It's been about improvements in technology and about profit, and it hasn't really been about helping people. And that's become more and more clear in the past few years, as Facebook has become a playground for organized disinformation. As, you know, all the other tech companies are either helping the Pentagon with artificial intelligence, or facial surveillance for the cops, or making deals with China. There are all these major moral calls that have upset the workforce inside these companies. And you have sort of this unprecedented rank-and-file activism now.
Joseph Menn: [00:21:41] And I think a lot of that is because the people running these companies were not - didn't go through this sort of moral forge that the old school hackers did. They're making some bad calls here. And so, I think the way these guys save the world, in theory, is that the rank and file and the leaders of these companies revisit the importance of ethics and what they do.
Joseph Menn: [00:22:04] And there are a lot of other things that can happen as well. Engineering schools these days require typically a philosophy course. But that can mean that, you know, an EE student takes a course in Plato. What should happen is that they should require case studies the way that business schools do. And so you learn from, for example, the Challenger disaster, where they interview everyone afterwards and they say, well, the engineers say, well, I felt this pressure to act like a manager instead of an engineer, and that's why I let this launch go forward, even though I knew it was probably going to end in disaster, or had a good chance of ending in disaster. So, the engineering schools can do things better.
Joseph Menn: [00:22:43] And the professional associations - IEEE, ACM - all these groups can have more elaborate ethical codes. They can have sort of continuing education requirements. And there needs to be sort of like a pro bono tradition, like there is in law and medicine. All that is really doable, and I think really necessary if tech is going to pull itself out of the mess it's in right now.
Dave Bittner: [00:23:05] Well, the book is "The Cult of the Dead Cow." Joseph Menn, thanks so much for joining us.
Joseph Menn: [00:23:09] Thanks for having me.
Copyright © 2020 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
We offer best-of-breed technologies and partner with niche services providers. Our team of experts will tailor each solution to your individual needs to provide a complete security package.
PENTESTON® by Proactive Risk Inc., is a cyber security vulnerability assessment workbench used by individuals, businesses and services providers worldwide full details: www.penteston.com