Cult of the Dead Cow

> CHAPTER 1

> AN EVENING IN SAN FRANCISCO

ON A TUESDAY evening in October 2017, three dozen friends and acquaintances gathered in the San Francisco townhouse of security engineer Adam O’Donnell for a political fundraiser. Though a boom in Bay Area real estate put the hillside place in Glen Park out of the reach of most Americans, it was modest by local standards. There weren’t nearly enough chairs for those who came to the dinner party, and the guests made their own tacos and drank wine from plastic cups as they stood. Adam was no swaggering Silicon Valley executive. The Philadelphia native had bought the property before the latest housing boom, using money from the sale of a security company where he had worked to Cisco Systems. Adam had joined the target company when it bought the start-up he had cofounded in 2009, which had been early to take advantage of what became known as the cloud, protecting computers from viruses more quickly than rivals. Adam now moved nervously through his home, thanking guests for coming and redoing the math in his head in hopes that the $250-per-head minimum would make it worth the candidate’s plane trip.

Adam wasn’t accustomed to entertaining people he didn’t know well. Now approaching forty, he’d grown up a working-class kid who liked to tinker and eventually had earned a doctorate in engineering. Even as hacking became the stuff of countless headlines, controversial elections, and undeclared warfare, Adam stayed in the background. At Cisco, Adam was working on a rare joint effort with Apple to help companies protect employee iPhones. It wasn’t particularly glamorous. His most exciting work was something he didn’t talk about. Under the handle Javaman, Adam was a longtime member of the oldest, best-known, and most important hacking group of all time, the Cult of the Dead Cow. Walking in Adam’s front door, some old-school hackers saw the cow skull hanging in the foyer and got the reference. If not, Adam didn’t explain.

Though it has never had more than twenty active members at a time, cDc has multiple claims on history. As it evolved from a pre-web community into something like a hacker performance-art troupe, cDc members started the first hacker convention to invite media and law enforcement. They developed hacking tools that are still being used by criminals, spies, and professional network administrators. And they invented the term hacktivism, which the group defined as hacking in defense of human rights. It rarely inducted new members, and when it did, cDc usually picked people already established through other groups, making it a supergroup in the rock-and-roll sense—a band formed of people from other bands. As cDc matured, its members became leaders in changing hacking from a hobby to a profession to a mode of warfare, or really several modes. That warfare has metastasized in the past decade, encompassing the US-led Stuxnet attack on Iran’s nuclear program, Russia’s blackouts of electrical systems in Ukraine, and China’s methodical pillaging of Western trade secrets. The unstoppable, semiautomated propaganda that helped propel the 2016 election of Donald Trump was just the latest, most complicated, and most effective twist. Such information operations and sabotage threaten to continue indefinitely around the world with little oversight.

Most Cult of the Dead Cow members have remained anonymous, although sixteen have agreed to be named for the first time in these pages, including all of the previously cloaked core participants. That invisibility, dating to the group’s founding in 1984, enhanced its mystique. It also gave the fifty or so sometime participants more freedom to navigate the world without being judged or misjudged, in some cases reaching powerful positions. Yet a few have become not only public but famous over the years, including Peiter Zatko, known online as Mudge. In Boston, Mudge fronted the pro-security or “white hat” hacking group called the L0pht (pronounced “loft”), pioneers for warning software companies about security flaws in their wares, rather than just exploiting them to break into users’ machines. Then Mudge’s squad turned the L0pht into the first big consulting group of star hackers, called @stake; later he led the cybersecurity efforts at the Defense Advanced Research Projects Agency (DARPA), powering both US military defense and still-undisclosed offensive hacks that headed off worse violence in the Middle East. Even more famous in recent years has been Jacob Appelbaum, alias IOerror. The charismatic American face of Tor, the most important tool for preserving privacy on the net, Jake served as one of the last loyal aides to WikiLeaks leader Julian Assange, and he personally revealed hacking tools developed by the National Security Agency. When his own acolytes exposed Jake for sexual harassment, the Cult of the Dead Cow publicly booted him out. But probably the most influential cDc member in steering hacker culture is Laird Brown, known to most by his handle, Oxblood Ruffin. The father of hacktivism, Laird invented facts and was closer than his followers realized to Western intelligence figures, but he drove moral considerations to the heart of a global debate and ended up saving countless lives.

Because they were the first to grapple with many ethical issues in computer security, cDc members inspired legions of hackers and professionals who came after them. cDc figures and those they trained have advised US presidents, cabinet members, and the chief executives of Microsoft, Apple, and Google. And as issues of tech security became matters of public safety, national security, and ultimately the future of democracy, the Cult of the Dead Cow’s influence figured in critical decisions and national dialogue, even if many were unaware of its role. In the Silicon Valley of 2018, cDc shared indirect responsibility for rank-and-file engineers citing human rights to protest their own companies’ work with immigration enforcement, the Pentagon, and China.

Adam had contributed to other political campaigns, especially in the wake of Trump’s election, including some Democratic neophytes identified by the entrepreneur founder of a new Bay Area grassroots group called Tech Solidarity. And he would soon write a program to help target likely Democratic voters on Facebook the way Trump had gone after Republicans. But playing party host was a bit scary for an introvert like him. So Adam had asked one of the Cult of the Dead Cow’s most prominent protégés to join him as cohost—Facebook’s chief security officer, Alex Stamos. The grandson of Greek Cypriot immigrants who ended up in Sacramento, Stamos had a trajectory similar to Adam’s—public schools, serious technical higher education, and then jobs as a principled hacker. One of his first was at @stake, working for Mudge and others in the L0pht who had wowed him by testifying to Congress in 1998, under their hacker handles, about the dismal state of cybersecurity.

Following in cDc’s footsteps, Stamos had earned a reputation for independence. When Edward Snowden leaked files showing that the NSA was collaborating closely with the big internet companies, especially to scoop up data on people in other countries, Stamos gave a heartfelt talk on ethics at the biggest hacking conference, Def Con. He declared that despite the lack of widely enforced moral codes, security experts should consider resigning their posts rather than violate human rights. For all the stridency, Yahoo hired Stamos as chief information security officer, part of the general public response by Silicon Valley giants to the exposure of complicity. He stayed until 2015, when he quietly quit over the company’s unannounced searches of all user email under a secret court order. Since then he had held the top security job at Facebook, trying to limit the damage of Russian hackers spreading hacked Democratic emails under false pretenses and fighting other battles against propaganda, despite lukewarm support from above.

Separately from his work at Facebook, Stamos engaged in electoral politics. At Yahoo, he had briefed Congress on security issues, and he had been impressed by some representatives and dismayed by others. Realizing that his seat at a big company gave him special access, he used that and personal donations to candidates from both parties, including Texas Republican Will Hurd, to push on the issues he cared about. His legislative wish list included combining US cybersecurity defense in one agency, instead of having multiple agencies working mainly on offense. He also wanted to reform hacking prosecutions, currently guided by the sweeping Computer Fraud and Abuse Act, and prohibit built-in government back doors for spying in tech products, which Stamos thought would cripple American companies as other countries turned away. And like former White House cybersecurity advisor Richard Clarke, he wanted a more robust White House process for deciding what software flaws to hoard for offense and which to disclose for defense. At Facebook, Stamos was quietly helping with special counsel Robert Mueller’s investigation into Russian meddling during the 2016 election.

Adam figured Stamos would want to support tonight’s candidate because of his technological philosophy and the potential significance of the race to the future of the country. There were deeper reasons as well, including a chance to pay a sort of cosmic Silicon Valley penance. The candidate was Beto O’Rourke, a Democrat who was hoping to emerge from the primary and face Republican Ted Cruz in November for a Texas seat in the US Senate. Cruz was the heavy favorite against pretty much anyone. No Democrat had won a statewide Texas vote since 1994, and Cruz was one of the best-known and best-funded members of the Senate, the Republican runner-up when Trump won the national primaries in 2016. But Cruz also had a special resonance for anyone deeply informed about Facebook, the Mueller probe, or both, as Stamos was. Cruz once had been the top political client of Cambridge Analytica, which had siphoned off Facebook data on as many as 87 million mostly unwitting users as it coached Cruz, and then Trump, on how to target them with effective ads. Looking at the full electoral picture, Republicans held a slim Senate majority, and flipping just two seats would allow Democrats to block automatic approval for Trump’s Supreme Court and cabinet picks and, if necessary, protect Mueller’s probe.

It wasn’t just those who had failed to supervise the mindless algorithms at Facebook, Twitter, and YouTube who had something to regret after the 2016 election. The Cult of the Dead Cow had amends to make as well. It had turned the creativity and antiestablishment antics of the hacking world against the mainstream media, hustling national television and print outlets for fun and to raise awareness of various issues. A side group cDc called the Ninja Strike Force, created in innocence but later left unsupervised, had deteriorated and recently attracted race-baiting provocateurs who adopted cDc’s methods but not its message. A few latter-day members stirred up hate on social media and promoted the technologist behind the biggest neo-Nazi publications, which actively supported Trump.

After a few words from Adam and Stamos, O’Rourke spoke to the group. He had run a small software company and alternative publication before winning an underdog race for city council and another for Congress, where he was serving his third and final two-year term. Slim and six-foot-four, he wore an open-collared shirt and a blue suit as he explained that he had decided to run on the night Trump was elected president. He and his wife, Amy, had been trying to decide what to tell their three children in the morning, and what they would tell them in later years. “What did we do? How did we account for ourselves?” O’Rourke recalled the conversation. He would have to stand down as a representative to appear on the ballot for the Senate, but O’Rourke had decided it was worth the risk. He had been driving to every county in Texas, his campaign was gaining real momentum, and he thought he had a chance. Education, access to health care, and jobs were more important, he said, than blue or red, and the willingness of voters to install someone who would “blow up the system,” like Trump, could be harnessed. The biggest challenge was getting people to the polls.

It helped, O’Rourke said, that Texans hate phonies, so he didn’t hide that he opposed Trump’s planned border wall, thought Trump should be impeached, and supported abortion rights, the legalization of marijuana, and gun control, as did most Bay Area tech workers. He was already fighting in the House to overrule Trump’s Federal Communications Commission and restore net neutrality, which kept internet access providers from favoring some content over others. O’Rourke didn’t have to contrast his frankness with Cruz’s flexibility. Everyone there knew the incumbent had declined to endorse candidate Trump after he attacked Cruz’s wife’s looks and suggested Cruz’s father had been involved in John F. Kennedy’s assassination, before Cruz rolled into line anyway. “We’ve just owned everything that we are about and believe in,” O’Rourke said. Declining money from political action committees hurt, but Adam and Stamos’s fundraiser helped. Several who attended it went on to hold their own fundraising parties in a chain reaction. Across the country in Boston, cDc stalwart Sam Anthony, a Harvard doctoral candidate working to make self-driving cars safer, held a fundraiser for O’Rourke that likewise inspired additional East Coast donations.

Though many others would also gravitate toward helping O’Rourke as he gained steam, won the 2018 primary, and drew almost even with Cruz in the polls, the early support in San Francisco and Boston was fitting. Those two cities had the most cDc members. And, as it happened, the group had had its start in O’Rourke’s home state of Texas.