Written by Sean Lyngaas
In recent years, the word “hacker” has shed some of its negative connotation in policy circles as lawmakers discover white hats who are trying to make the world a better place.
That evolution – to see what was once considered destructive as constructive, and to use it to make software more secure – is an under-appreciated bright spot on today’s cybersecurity landscape. The hacking group that pushed the world furthest toward this paradigm shift is the Cult of the Dead Cow (cDc). Its story is skillfully told in the new eponymously named book from Reuters journalist Joseph Menn.
“In general, the public has become more accepting of hacking and hackers,” Menn, a veteran cybersecurity reporter, told CyberScoop. “One of my goals in writing the book was to push that forward.”
Menn traces cDc from its humble origins in northwestern Texas to the conquests of its more famous members like Peiter “Mudge” Zatko, who has worked for DARPA and Google. In between is the story of how a brilliant band of tinkerers, coders, and provocateurs made Microsoft blush by exposing gaping holes in the Windows operating system, shaped a generation of hacktivists, and influenced a crop of privacy-minded projects like Tor and Citizen Lab.
Telling the story was not easy. Hackers often value anonymity, and Menn said it was a slow process to convince cDc members to speak to him on the record. That effort culminated in revealing that Democratic presidential candidate Beto O’Rourke was a cDc member as a teenager.
“Some of them crave attention,” Menn said. “And there are others who are super shy and underground and I still don’t know their full names.”
Though flamboyant while in public promoting cDc, Kevin Wheeler, the group’s founder, is reclusive offstage, according to Menn. “It was really hard to [even] get him to talk about talking,” Menn said of Wheeler.
cDc started with irreverence; the morality, and hacking chops, came later. Wheeler was a bored teenager in Lubbock, Texas, in the 1980s when he discovered bulletin boards, the precursor to the public internet that involved dialing into a modem to read or leave text files, or t-files. Wheeler and his friends wrote fictional t-files that mocked the establishment. Like a lot of kids in his day, Wheeler obtain and traded “cracked” versions of software that allowed the programs to be more widely shared. It was a subversive way of getting familiar with technology.
As their circle meant more to them, Wheeler gave it a name that, as Menn writes, invoked the “unpleasant hind part of the most iconic Texas industry.”
cDc’s growth had members looking for places to meet up. That need for in-person collaboration would serve the broader cybersecurity community and eventually spawn one of the biggest hacking conferences in the world, DEF CON. Menn tells us how in 1990, cDc member Jesse Dryden, the son of the Jefferson Airplane drummer, started HoHoCon at a hotel near the Houston airport. Dryden, whose contributions to cDc prompted comparisons to Ken Kesey’s Merry Pranksters, summoned all “hackers, journalists, and federal agents” to HoHoCon.
“The joke was that while this would be the first hacker conference with feds invited to attend, it was not the first with them present,” Menn writes.
HoHoCon created a safe space for people from various walks of life in the cybersecurity industry to interact. Nearly 30 years later, despite the industry surging in size, the conferences inspired by HoHoCon are still essential venues for journalists, hackers, and feds to trade stories.
One of the book’s big accomplishments is illustrating for the lay, non-technical reader how groups of hackers and security researchers like cDc and L0pht – which inspired each other and had shared members – have staked out moral ground in the struggle to make the internet more safe and secure. A Canadian named Laird Brown, pseudonym Oxblood Ruffin, injected cDc with some of this moral urgency, traveling to Tibet to help protect its population from surveillance.
It is a noble fight, and not as lopsided as you might think. It will get less lopsided the more policymakers learn to use the expertise of researchers who, in the cDc tradition, brush up against the legal lines of digital exploration but do not cross them.
“One lesson from the Cult of the Dead Cow’s remarkable story is that those who develop a personal ethical code and stick to it in unfamiliar places can accomplish amazing things,” Menn writes. It is a shot of optimism from a book that also reflects on how governments have harnessed software programs to their own cynical ends.
While the industry may be accustomed to grim news, “this is a largely positive book,” Menn said. Now, a younger generation of hackers has a reliable and highly readable record of the group that did so much to break the status quo in the industry.
Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World; Joseph Menn, Public Affairs, 256 pages, $28