The Cult of the Dead Cow began as a small group of like-minded friends in Texas in 1983 and grew into one of the more influential and venerable hacking groups to emerge from the early days of the Internet. The cDc shares several members with the L0pht, another seminal hacking crew, and many of its members have gone on to considerable success, whether in the technology field or in medicine or the arts. Or even politics. Dennis Fisher recently spoke with journalist Joseph Menn, author of a new book called Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World, about the group's far-reaching influence on hacking culture, the tech industry, and the emergence of hacktivism.

Dennis Fisher: So how did you settle on Cult of the Dead Cow?

Joseph Menn: So it's not obvious on the surface, right? I mean, these guys peaked in fame like 20 years ago and a lot of young folks hadn't heard of the Cult of the Dead Cow. But my process was that, I'm an old guy and I've been covering cyber security and hackers for 20 years. And, I guess I'm best known for a previous book, Fatal System Error, which said that the Russian government was in cahoots with organized criminal hackers, which now seems like totally obvious, but when I published that in 2010, it was pretty radical. So that did really well because it was arguably the first mainstream popular book that sold a bunch of copies that says, hey, we're really screwed here. The combination of, you know, fairly indefensible technology, attack surface, geopolitics and the legal system, which, you know, allows pretty crappy software to propagate without liability. So, you know, that book brought like sort of widespread attention to it and even people in Congress read it. And since then there've been all these other books that say, well, this, this aspect of cybersecurity is terrible and that one's terrible. And you know, here's something about the surveillance state and here's something about the, you know, the military industrial internet complex and they're all, you know, a lot of them were quite good, but they're all sort of going the same direction. Like, we got a big problem here. And I decided that I wanted to do something that was more about what direction we should go in, sort of like a way forward, something that was more helpful than just, you know, calling attention to the problem because so many people were doing that. And so I also was trying to capitalize on the fact that I've been around for awhile. There are lots of younger, more energetic folks that can code now writing about cyber security. But I'm trying to think of some way I could leverage the fact that I've been around for awhile and you've seen sort of the ups and downs and I decided that what I wanted to do was, was find something that had that had worked or something that had been a real positive step in the past and see if I could bring that forward. You look back to the people that have been in something similar in the past. So what did we do the last time we were in a Cold War, what did we do last time that there was a complete split in society about some critical issues? With cyber security, one of the nice things is the heroes from the last one, the veterans are still around. So we can just go and ask them and that's what I tried to do. And these guys, they go back 35 years, you know, to the beginning when there was not a worldwide web. They are still around doing a variety of really interesting things in government and nonprofits and in the private sector. And the debates they had internally, their own moral development I think is a great way to sort of distill the key battles of the past.

Dennis Fisher: So as you started to look at the cDc as kind of an overarching group and their relationship to the security industry and the Internet as a whole, what was your way into this story?

Joseph Menn: Well, so one thing that was useful to me was the sort of chronological development, and actually this reminds me of my first solo book, which was about Napster. And one of the advantages to writing about Napster were two-fold. One, everybody had heard of it. And yet there were things that people didn't understand about what was going on in the inside of that company, which is as crazy as anything that's going on outside of the company. But the other is that the central figures where kids, you know, 17, 18 years old and they came out to Silicon Valley. And my purpose in writing the book was to educate people about how crazy Silicon Valley in the late Nineties was, you know, both in good ways where it brought forth great innovation and in bad ways where crazy greed heads corrupted those developments, which is exactly what happened with Napster. But the beauty part from a narrative perspective is that the 17 or 18 year olds don't know anything about venture capital. And so if you can recreate what it was like for them as like the VC comes in and pitches how this works, or the lawyer comes in and, and, and sells them, that their case is defensible, whatever, it's easy on the reader because you're bringing it to the reader's attention to your, you don't have to take a break and explain the history of Silicon Valley, because the kids are learning it too. So you learned through their eyes. And so that's what I wanted to do here. I mean, when the cDc started they were 13, 14 years old, you know, so you get the excitement of the ability to connect for the first time, even though it's a pain with the creaky modems that are run by hamsters and whatever. The most important part of this whole thing is sort of the moral development, the ethical calls, which are not only being made by security practitioners everyday now, but by mainstream tech companies, Google, Facebook. The moral calls they made when they're 13 or 14, you're like, well shit, is it better to steal a little long distance service from a lot of people or a lot of service from like one big company that won't even know?

If you start out with small moral stakes like that, and then you see the same people have to make bigger decisions, okay, now we've got a flaw in Windows architecture and Microsoft won't answer the phone. What are we doing? Now do we share it among our friends so that we can all hack more random people and go exploring? Do we give it to the U.S. government? What do we do? Quite famously, it was basically to have media circus, to go to DEF CON, start rapping and throwing out CDs with powerful software on it because yeah, some people are going to get hacked because of that. More of them definitely. But it's also going to force Microsoft to pay more attention. There are all sorts of close calls that are really important that are happening in obscurity or you know, a classified level that need broader discussion because they affect all of us.

Dennis Fisher: Yeah, there's a lot of parallels for that. That was 20 years ago, which is literally the dawn of the public internet. And there's still researchers grappling with that same question, how do I handle this? I think the cDc guys, what they did and the L0pht guys, had kind of the same approach.

Joseph Menn: I think that's an interesting thing. So, in retrospect, they were the pioneers of what is now called responsible disclosure, which is kind of the law of the land now. I don't think a lot of people realize how the L0pht and cDc work together, but they were the classic good cop, bad cop. So there were four people that were in both the L0pht and cDc over the lifespan of both. The L0pht did public advisories, you know, that are some of the first widespread advisories that really got vendors’ attention, but they were always sort of playing by the rules. I mean they didn't want their real names out, but they were interested in getting the government's attention. They got to go testify before Congress in 1998 and that was a real wake up call for folks. But when Back Orifice and Back Orifice 2K came out, that was giving exploits tools to the masses. And so there was kind of this unspoken thing where like, you know, if the L0pht doesn't get your attention, then meet my uncle cDc and they'll get your attention.

Dennis Fisher: There's some folks that I think a lot of people in the industry knew were members of cDc but had never really acknowledged it publicly, that you reveal in the book, with their permission, one of whom is currently running for president, Beto O'Rourke. So tell me a little bit about how you came upon that piece of information, how you decided how to handle it.

Joseph Menn: I've known about this for a long time now, but the idea that a hacker is a serious presidential candidate is kind of mind blowing. When I was exploring doing a book about cDc, I knew, in addition to their long history and the known players like Mudge and Chris Rioux, who founded Veracode, all these really significant figures. I knew some other things about it, and one of the things I turned up in that preliminary reporting is that they had a member of Congress who had been in, and they wouldn't tell me. The members who were speaking to me at that point early on wouldn't tell me which one. And I didn't know if I was ever going to figure out which one it was and if I did, if that person would talk to me or not. That was one of the factors that went into my saying, yeah, I think I can do a book on this that people would want to read. And so that was in my book proposal and I said, there is a congressman, I didn't say which one. And then I explained sort of the arc, like why that made sense as security is becoming more fundamental to technology as technology is becoming more fundamental to the economy and to social life and to geopolitics. And it is at some level appropriate and to be expected that sooner or later these security experts are going to play more central roles in our lives. But anyway, so I knew there was a congressman, I tried to figure out who it was and I happened to see that there was a guy running for Senate in Texas, who was in the sort of magic age bubble, which meant that he came of age after WarGames, the movie in 1983, and before the Computer Fraud and Abuse Act in 1986. So when you see what's possible and before it's explicitly criminalized, a very large number of the cDc folks fit into that bubble. So he fit in. So he's the right age. He was from Texas, which is where the group started. And he was in a punk rock band. And so I made a guess to my best cDc contacts and they wouldn't say one way or the other. They were like, no, we're not going to talk about that. But maybe we could talk about it after November. Well, that's the Senate race, so, okay, so I didn't have it, I couldn't report it. I didn't know it. Anyway I asked can I have the information under embargo, and so they said yes and they said it’s Beto. I said, holy cow. At that point he was running for Senate and after some time passed I had the opportunity to meet him. And I told him what I was doing. I told him the story, the book would not appear until after November. And he said, yeah, sure. And then he agreed to an interview and he was terrific.