How Beto O’Rourke’s hacker group changed cybersecurity as we know it

As of not too long ago, America’s oldest hacking collective was best known not for its work but its alumni or, more specifically, a particular alumnus and current presidential candidate: Beto O’Rourke. This certainly marks a milestone in both American politics and culture, but it wasn’t the primary motivation for Joseph Menn to write his new book about the Cult of the Dead Cow (better known as cDc), the group that O’Rourke hails from.

The work, Cult of the Dead Cow: How the Original Hacking Super Group Might Just Save the World, takes up the lofty task it lays out in its subtitle, at least insofar as the security of the world’s digital systems is concerned. For as long as networked computing devices have pervaded our daily lives, and information security professionals have scrambled to lock them down, the industry still has yet to find its footing in the undertaking. Anyone who has seen breach headline after breach headline can likely corroborate this.

“Lots of other people have done books calling out one or another aspect of the problem [in information security],” Menn said. “But I had not seen any readable, enjoyable book that pointed to a way forward.”

When we asked him what drove him to call to mind the storied hacker collective now, and for audiences that may not know about them, he pointed to the insurrection of rank-and-file tech sector employees in the absence of principled leadership from industry titans.

“When I began work three years ago, there were not discrete events [that inspired the book],” he said. “But the vulnerability of Facebook to state-sponsored misinformation during the 2016 election, the retreat of big tech on other moral issues, and the rise of Silicon Valley rank-and-file activism shaped my thinking and put an edge on my take.”

Through the lens of Menn’s canny study of hacking history, this lack of industry consensus on how to make progress isn’t because security professionals haven’t sufficiently moved beyond their roots, but precisely because they’ve strayed too far.

“One of the major reasons I undertook this project is to increase appreciation for hackers as critical thinkers,” he said. “We need critical thinking more than ever.”

A noble pursuit

Cult of the Dead Cow, formed in the auspicious cyberpunk year of 1984 in Lubbock, Texas, was a cadre of technically-savvy pranksters. Like many hackers since, and not really before, they were disillusioned with the corporate status quo and just bored (and brazen) enough to cattle-prod it in the most provocative ways they could imagine.

Coining the kind of hacker pseudonyms that are now idiomatic to that cultural enclave, and ensconcing multiple layers of meaning in their group moniker — not only is Lubbock the final destination for millions of bovines, but hackers are prone to delivering “0xDEADBEEF” to their victims’ systems — they set out to experiment with how to incentivize more responsible corporate behavior from the safety of anonymity. Norms were disregarded, minor laws were broken, and the public was occasionally deceived, but their actions were largely organized around the principle of making the software ordinary people used more secure… by any means necessary.

This was undeniably uncharted territory, and they took on considerable risk in endeavoring to blaze a trail through it. Their “Back Orifice” disclosure of a critical vulnerability in Windows in 1999 came at a time when outing security holes in any way could result in serious legal peril when the company inevitably retaliated.

But a lot of the reason why “security researchers,” hackers by a more respectable designation, can submit bugs, or even be compensated handsomely via bug bounty programs, is because cDc hackers weighed the consequences of inaction and dared to butt in. By contrast, today’s developers and penetration testers (another euphemism for hackers who work 9 to 5 for a company) haven’t had to put their finances or freedom on the line when navigating the ethical dimension of information security.

“They were willing to debate the ethics of their decisions, and they saw their role as furthering social good,” Menn said. “Today’s infosec industry is too compartmentalized, and often too clean. By that I mean new entrants can go to a nice college and then a nice company and get into the security business without going through the moral forge that comes from having to make personal decisions about crime and relationships and improper access and disclosure.”

It’s time, in Menn’s view, for information security professionals to take a long look in the mirror and ask themselves if what they’re doing really drives the best outcomes.

“I want them to learn the most important lessons from the recent past and decide whose shoulders to stand on,” Menn said.

Anonymous no more

To even tell the story of how a bold group of teenagers got the likes of Microsoft to capitulate when faced with their own errors with the sensitivity that Menn does was a feat in itself. While Silicon Valley looks kindlier on responsible vulnerability disclosures, and has incorporated much of the tradecraft cDc popularized, many of the original members fiercely guarded their anonymity until speaking with Menn for the book.

The increased familiarity with hackers that shows like Mr. Robot have fostered may be part of why the cDc veterans have doffed their masks, but Menn believes it has more to do with realizing the importance of what they can contribute.

“I think they came forward because they agreed their story was valuable and understood that to be credible, I needed real names and documents,” he said. “Yes, hackers are more mainstream now and the cDc in particular has broad respect, and both made it easier for them to raise their hands. But new information gets oversimplified and twisted for a variety of ends.”

But if the absorption of hackers into the mainstream were complete, and your average person knew the whole story, Menn likely wouldn’t have gone to such lengths. Seen from its complete arc — at least so far, with their work far from finished — it would probably come as a shock just how much cultural ground hackers have covered.

After asking Menn what surprised him the most about his research, he had no shortage of revelations.

“[I was surprised] that a sitting U.S. Congressman had been a member of the most important group of hackers in American history, that he had been the one to gender-integrate it, that the secret had held for so long, that he would agree to discuss it with me, and that he would declare for President as I was going to press.”