Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World
by Joseph Menn
The internet as we know it today would not exist but for the Cult of the Dead Cow. The cDc is among America’s oldest and most venerated hacking collectives. They invented hackivism, helped develop Tor, forced Microsoft and other industry titans to take cybersecurity seriously and even built a few non-lethal digital weapons for the US government.
But the Dot Com bust in 2000, followed by the 9/11 attacks the following year shook the collective to its core. In the excerpt below from Cult of the Dead Cow, author Joseph Menn examines how these events impacted the hacking community and forced its members to take a hard look at their moral compasses.
The @stake story was a strange shotgun union of two powerful and growing forces: venture capital and hacking. In its short arc, @stake established an enormously important precedent for security: that outsiders could go into big companies and make the systems and products there safer. Perhaps more importantly, @stake hackers dispersed and founded many more companies in the next few years, and they became security executives at Microsoft, Apple, Google, and Facebook. But those same years revealed psychological fragmentation in the movement along with the physical diaspora. The cDc of Def Cons 1998 through 2001 had ridden the crest of a wave of hacker sensibility.
Each year the crowds grew in number, young, irreverent, and on the cusp of mass recognition, if not big money. That short period was as important for technology culture as the Summer of Love, in 1967 San Francisco, was for the hippies. Laird Brown’s hacktivism panel in the summer of 2001 set a high-water mark for that kind of enthusiasm, for open-source, idealistic efforts to protect people even from their own government.
But any youthful protest ethic faces a challenge when its adherents need to find jobs and pay their bills. That concern increased in 2001, one year into the great bust that followed the dot-com boom. Not everyone could get a job with @stake or other boutiques. But it was a second, more direct blow that scattered young hackers in different directions for many years: the terrorist attacks on the World Trade Center and the Pentagon.
Those driven primarily by money were already paying less attention to ethical quests, such as the fun and games in keeping Microsoft honest. Now, in the months after the 9/11 attacks, those driven largely by causes also had a strong contender for their attention: rallying against the worst attack on American soil since Pearl Harbor. This was true for rank-and-file hackers, who took assignments from the military or intelligence agencies, and even cDc’s top minds, including Mudge.
Mudge had instant credibility, since he had taught government agents and they used his tools. Government red team penetration-test leader Matt Devost, who had covered cDc in a report given to a presidential commission on infrastructure protection, used L0pht tools to break into government networks. Spies loved Back Orifice and BO2k because if they left traces behind, nothing would prove US government responsibility.
Two years before 9/11, an intelligence contractor I will call Rodriguez was in Beijing when NATO forces in the disintegrating state of Yugoslavia dropped five US bombs on the Chinese embassy in Belgrade, killing three. Washington rapidly apologized for what it said had been a mistake in targeting, but the Chinese were furious. In a nationally televised address, then Chinese vice president Hu Jintao condemned the bombing as “barbaric” and criminal. Tens of thousands of protestors flowed into the streets, throwing rocks and pressing up against the gates of the American embassy in Beijing and consulates in other cities.
The US needed to know what the angry crowds would do next, but the embassy staffers were trapped inside their buildings. Rodriguez, working in China as a private citizen, could still move around. He checked with a friend on the China desk of the CIA and asked how he could help. The analyst told Rodriguez to go find out what was happening and then get to an internet café to see if he could file a report from there. Once inside an internet café, Rodriguez called again for advice on transmitting something without it getting caught in China’s dragnet on international communications. The analyst asked for the street address of the café. When Rodriguez told him exactly where he was, the analyst laughed. “No problem, you don’t have to send anything,” he explained. “Back Orifice is on all of those machines.” To signal where he wanted Rodriguez to sit, he remotely ejected the CD tray from one machine. Then he read everything Rodriguez wrote as he typed out the best on-the-ground reporting from Beijing. Rodriguez erased what he had typed and walked out, leaving no record of the writing.
Even before 9/11, Mudge had been talking to Richard Clarke and others at the National Security Council. Often, Mudge argued for privacy. The government had wanted to put location tracking in every cell phone as part of Enhanced 911 services, for example. Mudge told the NSC that the privacy invasion was unnecessary, that information from cell phone towers would be good enough for any serious official need.
One day in February 2000, after a rash of denial-of-service attacks that bombarded big websites with garbage traffic so that regular users couldn’t connect, Richard Clarke brought Mudge into a White House meeting with President Bill Clinton and a bunch of CEOs. “It was, I think, the first meeting in history of a president meeting people over a cyber incident,” said Clarke, who had organized it to show White House responsibility on the issue and build the case internally for more government oversight. After answering Clinton’s questions on what was fixable and what wasn’t, the guests walked out of the office. The CEOs saw the reporters waiting and prepared their most quotable platitudes.
Instead, the press swarmed Mudge, as even those who didn’t know him assumed that the guy who resembled a Megadeth guitarist was a hacker meeting with the president for good reason. “Of course Mudge stole the show,” Clarke said.
But in order to be taken seriously, Mudge had to tell the truth. Once, an NSC staffer brought him in and asked what he knew about a long list of terrorists and other threats. What did he know about Osama bin Laden? About the group behind the sarin attack in the Japanese subway? About the Hong Kong Blondes?
At that one, the blood drained from Mudge’s face. “What do you mean?” he asked.
“We’ve been informed it’s a small, subversive group inside China that’s helping dissidents with encrypted communications,” the staffer replied.
“I’ve heard of them,” Mudge offered.
“What can you tell us?” the staffer persisted.
Mudge figured the government hadn’t put a lot of resources into the goose chase because signals intelligence and other sources would have turned up nothing and convinced seasoned professionals that it was a red herring. But he didn’t want the country to waste any energy that could go toward supporting real people in need.
He shrugged and looked straight at the staffer. “We made them up,” Mudge admitted.
After 9/11, Mudge went into overdrive. President Bush was warned that a cyberattack would have been worse than the planes, and he listened. Mudge then started exploring what a “lone wolf” terrorist hacker could do. “I’m finding ways to take down large swaths of critical infrastructure. The foundation was all sand. That rattled me,” Mudge said.
Looking into the abyss exacerbated Mudge’s severe anxiety, his tendencies toward escapist excess, and his post-traumatic stress disorder, which had its roots in a violent pre-L0pht mugging that had injured his brain. He went into a spiral and eventually broke down. “Ultimately, I just cracked a bit,” Mudge said. He spent days in a psychiatric ward. (Anxiety and burnout in the face of the near-impossible, high-stakes task of defending networks was not yet recognized as a major industry problem, as it would be a decade later.) Unfortunately, some of Mudge’s treatment compounded the situation. As is the case with a minority of patients, his antianxiety medications had the opposite of the intended effect. Eventually, Mudge fired his doctors, experimented with different medications and therapy, and worked his way back to strong functionality. But when he returned to @stake after many months, it was too fractious and uninspiring for him to be enthusiastic about reclaiming his post. The dot-com bust had forced layoffs of L0pht originals while managers were drawing huge salaries. The emphasis was on the wrong things.
Outside of @stake, hackers began disappearing from the scene for six months or more. When they came back, they said they couldn’t talk about what they had been doing. Those who went to work for the intelligence agencies or the Pentagon, temporarily or permanently, included many of the very best hackers around, including a few present or former cDc members and many of their friends in the Ninja Strike Force. They wanted to protect their country or to punish Al-Qaeda, and in many cases they got to work on interesting projects. But many of them would not have passed the background investigations required for top secret clearances. To get around that problem, a large number worked for contractors or subcontractors. One way or another, a lot of their work went into play in Afghanistan and Iraq.
Some hackers felt great fulfillment in government service. Serving the government in the wake of the terror attacks gave them a chance to fit in when they hadn’t before, united by a common cause. But for too many of this cohort, what started with moral clarity ended in the realization that morality can fall apart when governments battle governments.
That was the case with a cDc Ninja Strike Force member I will call Stevens. As Al-Qaeda gained notoriety and recruits from the destruction, the US Joint Special Operations Command, or JSOC, stepped up the hiring of American hackers like Stevens. Some operatives installed keyloggers in internet cafés in Iraq, allowing supervisors to see when a target signed in to monitored email accounts. Then the squad would track the target physically as he left and kill him.
After 9/11, the military flew Stevens to another country and assigned him to do everything geek, from setting up servers to breaking into the phones of captured terrorism suspects. Though he was a tech specialist, the small teams were close, and members would substitute for each other when needed. Sometimes things went wrong, and decisions made on the ground called for him to do things he had not been trained in or prepared for mentally. “We did bad things to people,” he said years later, still dealing with the trauma.
Others had similar experiences. A longtime presenter at hacking and intelligence community gatherings, former clergyman Richard Thieme, gave talks about the burdens of protecting secrets that should be known and about the guilt suffered by people made to carry out immoral orders. After he asked people to send in their stories, some listeners provided accounts like Stevens’s. “It occurs to me how severely the trajectory of my own career has taken me from idealistic anarchist, to corporate stooge, to ambitious entrepreneur, to military/intelligence/defense/law enforcement adviser,” wrote one. “Many cyber guys started out somewhere completely different and then somehow found themselves in the center of the military-industrial complex in ways they would never have been prepared for.” Once there, the difficulty in keeping secrets is “potentially more extreme because the psychological make-up and life-story of the cyber guy would not have prepared him for it.”
When one joins an intelligence service at the start of one’s career, one is involved in low level, apprentice-like, tasks and assignments usually far removed from traumatic action or profound moral considerations, much less decisions. In the course of a career such actions/decisions slowly grow into being, almost imperceptibly for many people. One may suddenly “awake” to where one is and realize that he/she had not been prepared for this, and also realize that one is now deeply into the situation, perhaps well beyond a point that one would have stepped into if it had been presented from the start. If this is the case, it’s too late to turn back.
When you are on the ground, Thieme said, “the rules people think they live by are out the window.” People who score too high on morals tests are rejected by intelligence services, he said, because a conscientious whistle-blower is even more dangerous than an enemy mole.
Excerpted from Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World, by Joseph Menn. Copyright © 2019. Available from PublicAffairs, an imprint of Hachette Book Group, Inc.