By Joseph Menn
Read by Jonathan Davis
Formats and Prices
This item is a preorder. Your payment method will be charged immediately, and the product is expected to ship on or around June 4, 2019. This date is subject to change due to shipping delays beyond our control.
Explore book giveaways, sneak peeks, deals, and more.
> AUTHOR’S NOTE
TECHNOLOGY IS DECIDING the fate of the world, and we are everywhere in its chains. Electronic surveillance, cyberwarfare, artificial intelligence, and manipulated social media are on the brink of pushing societies beyond a point of no return. Even those of us who saw this coming did not think it would get this dire this fast, and definitely not in this way.
For the past two decades I’ve covered the tech industry as a journalist, and I have been drawn most often to the issues of security and privacy. They immediately cross lines from business to politics and challenge our ideas about safety, freedom, and justice, and it has been fascinating to watch and occasionally participate as governments, companies, and civic-minded people grapple with the fast-changing ramifications. Security is about power. And it has been getting increasingly complex since the moment the internet escaped from its controlled university environment in the 1980s.
As I worked on my first book out of Silicon Valley, about the rise and fall of Napster, I began to grow more concerned about computer security, or the lack of it. Shawn Fanning was one of the first hackers to be admired by the public at large, and he got early help from a more experienced crew, including some people I kept in touch with and who appear in this volume. Though the record industry would beg to differ, most of Fanning’s group were the good guys, tinkering in order to learn, not to be malicious. But all of the trends they pointed me to were bad.
As the state of security deteriorated and the stakes rose, I devoted my next book to the topic. Fatal System Error showed the scale of the danger, looking especially at how organized crime and some of the world’s most powerful governments were collaborating to leverage inherently flawed technology, the failure of the market for security products, and minimal regulation. At the heart of that book was a true tale of Russian intelligence collaborating with criminal hackers, a scenario that went from shocking at the time of publication in 2010 to widely accepted today.
Since then, many books have tackled the military-internet complex, intelligence gathering, and cyberwarfare, together with WikiLeaks, Edward Snowden, and the 2016 US election. Missing in all of them has been a compelling account of the people dedicated to information security who are out of the spotlight or even in the shadows, fighting to protect our personal data and freedom as well as our national security. In many cases, these people are more colorful than their adversaries. That is especially true of the people whose tale is told in this book: key members of the Cult of the Dead Cow, who have played a role in all of the major issues cited above. While their more overt antics drew attention in the past, until now no one has heard their real story, and some young hackers haven’t heard of them at all. Yet the Cult of the Dead Cow is a skeleton key for the whole saga of modern security, especially the struggle to sort through what is ethical. cDc stands in here for many others who are doing heroic work well away from public view.
Fatal System Error was a dire warning during a time when many were oblivious. Now, in a time of wider moral crisis in technology, this book is a rare message of hope and inspiration for tackling worse problems before it’s too late.
> THE PLAYERS
Cult of the Dead Cow
Kevin Wheeler / Swamp Rat
Bill Brown / Franken Gibe
Carrie Campbell / Lady Carolin
Jesse Dryden / Drunkfux
Paul Leonard / Obscure Images
Chris Tucker / Nightstalker
Dan MacMillan / White Knight
Misha Kubecka / Omega
John Lester / Count Zero
Luke Benfey / Deth Vegetable
Sam Anthony / Tweety Fish
Peiter Zatko / Mudge
Laird Brown / Oxblood Ruffin
Josh Buchbinder / Sir Dystic
Christien Rioux / Dildog
Adam O’Donnell / Javaman
Jacob Appelbaum / IOerror
Kemal Akman / Mixter
Patrick Kroupa / Lord Digital
cDc Ninja Strike Force
Chris Wysopal / Weld Pond
Window Snyder / Rosie the Riveter
Limor Fried / Lady Ada
Legion of Doom
Masters of Deception
Elias Ladopoulos / Acid Phreak
Mark Abene / Phiber Optik
> CHAPTER 1
> AN EVENING IN SAN FRANCISCO
ON A TUESDAY evening in October 2017, three dozen friends and acquaintances gathered in the San Francisco townhouse of security engineer Adam O’Donnell for a political fundraiser. Though a boom in Bay Area real estate put the hillside place in Glen Park out of the reach of most Americans, it was modest by local standards. There weren’t nearly enough chairs for those who came to the dinner party, and the guests made their own tacos and drank wine from plastic cups as they stood. Adam was no swaggering Silicon Valley executive. The Philadelphia native had bought the property before the latest housing boom, using money from the sale of a security company where he had worked to Cisco Systems. Adam had joined the target company when it bought the start-up he had cofounded in 2009, which had been early to take advantage of what became known as the cloud, protecting computers from viruses more quickly than rivals. Adam now moved nervously through his home, thanking guests for coming and redoing the math in his head in hopes that the $250-per-head minimum would make it worth the candidate’s plane trip.
Adam wasn’t accustomed to entertaining people he didn’t know well. Now approaching forty, he’d grown up a working-class kid who liked to tinker and eventually had earned a doctorate in engineering. Even as hacking became the stuff of countless headlines, controversial elections, and undeclared warfare, Adam stayed in the background. At Cisco, Adam was working on a rare joint effort with Apple to help companies protect employee iPhones. It wasn’t particularly glamorous. His most exciting work was something he didn’t talk about. Under the handle Javaman, Adam was a longtime member of the oldest, best-known, and most important hacking group of all time, the Cult of the Dead Cow. Walking in Adam’s front door, some old-school hackers saw the cow skull hanging in the foyer and got the reference. If not, Adam didn’t explain.
Though it has never had more than twenty active members at a time, cDc has multiple claims on history. As it evolved from a pre-web community into something like a hacker performance-art troupe, cDc members started the first hacker convention to invite media and law enforcement. They developed hacking tools that are still being used by criminals, spies, and professional network administrators. And they invented the term hacktivism, which the group defined as hacking in defense of human rights. It rarely inducted new members, and when it did, cDc usually picked people already established through other groups, making it a supergroup in the rock-and-roll sense—a band formed of people from other bands. As cDc matured, its members became leaders in changing hacking from a hobby to a profession to a mode of warfare, or really several modes. That warfare has metastasized in the past decade, encompassing the US-led Stuxnet attack on Iran’s nuclear program, Russia’s blackouts of electrical systems in Ukraine, and China’s methodical pillaging of Western trade secrets. The unstoppable, semiautomated propaganda that helped propel the 2016 election of Donald Trump was just the latest, most complicated, and most effective twist. Such information operations and sabotage threaten to continue indefinitely around the world with little oversight.
Most Cult of the Dead Cow members have remained anonymous, although sixteen have agreed to be named for the first time in these pages, including all of the previously cloaked core participants. That invisibility, dating to the group’s founding in 1984, enhanced its mystique. It also gave the fifty or so sometime participants more freedom to navigate the world without being judged or misjudged, in some cases reaching powerful positions. Yet a few have become not only public but famous over the years, including Peiter Zatko, known online as Mudge. In Boston, Mudge fronted the pro-security or “white hat” hacking group called the L0pht (pronounced “loft”), pioneers for warning software companies about security flaws in their wares, rather than just exploiting them to break into users’ machines. Then Mudge’s squad turned the L0pht into the first big consulting group of star hackers, called @stake; later he led the cybersecurity efforts at the Defense Advanced Research Projects Agency (DARPA), powering both US military defense and still-undisclosed offensive hacks that headed off worse violence in the Middle East. Even more famous in recent years has been Jacob Appelbaum, alias IOerror. The charismatic American face of Tor, the most important tool for preserving privacy on the net, Jake served as one of the last loyal aides to WikiLeaks leader Julian Assange, and he personally revealed hacking tools developed by the National Security Agency. When his own acolytes exposed Jake for sexual harassment, the Cult of the Dead Cow publicly booted him out. But probably the most influential cDc member in steering hacker culture is Laird Brown, known to most by his handle, Oxblood Ruffin. The father of hacktivism, Laird invented facts and was closer than his followers realized to Western intelligence figures, but he drove moral considerations to the heart of a global debate and ended up saving countless lives.
Because they were the first to grapple with many ethical issues in computer security, cDc members inspired legions of hackers and professionals who came after them. cDc figures and those they trained have advised US presidents, cabinet members, and the chief executives of Microsoft, Apple, and Google. And as issues of tech security became matters of public safety, national security, and ultimately the future of democracy, the Cult of the Dead Cow’s influence figured in critical decisions and national dialogue, even if many were unaware of its role. In the Silicon Valley of 2018, cDc shared indirect responsibility for rank-and-file engineers citing human rights to protest their own companies’ work with immigration enforcement, the Pentagon, and China.
Adam had contributed to other political campaigns, especially in the wake of Trump’s election, including some Democratic neophytes identified by the entrepreneur founder of a new Bay Area grassroots group called Tech Solidarity. And he would soon write a program to help target likely Democratic voters on Facebook the way Trump had gone after Republicans. But playing party host was a bit scary for an introvert like him. So Adam had asked one of the Cult of the Dead Cow’s most prominent protégés to join him as cohost—Facebook’s chief security officer, Alex Stamos. The grandson of Greek Cypriot immigrants who ended up in Sacramento, Stamos had a trajectory similar to Adam’s—public schools, serious technical higher education, and then jobs as a principled hacker. One of his first was at @stake, working for Mudge and others in the L0pht who had wowed him by testifying to Congress in 1998, under their hacker handles, about the dismal state of cybersecurity.
Following in cDc’s footsteps, Stamos had earned a reputation for independence. When Edward Snowden leaked files showing that the NSA was collaborating closely with the big internet companies, especially to scoop up data on people in other countries, Stamos gave a heartfelt talk on ethics at the biggest hacking conference, Def Con. He declared that despite the lack of widely enforced moral codes, security experts should consider resigning their posts rather than violate human rights. For all the stridency, Yahoo hired Stamos as chief information security officer, part of the general public response by Silicon Valley giants to the exposure of complicity. He stayed until 2015, when he quietly quit over the company’s unannounced searches of all user email under a secret court order. Since then he had held the top security job at Facebook, trying to limit the damage of Russian hackers spreading hacked Democratic emails under false pretenses and fighting other battles against propaganda, despite lukewarm support from above.
Separately from his work at Facebook, Stamos engaged in electoral politics. At Yahoo, he had briefed Congress on security issues, and he had been impressed by some representatives and dismayed by others. Realizing that his seat at a big company gave him special access, he used that and personal donations to candidates from both parties, including Texas Republican Will Hurd, to push on the issues he cared about. His legislative wish list included combining US cybersecurity defense in one agency, instead of having multiple agencies working mainly on offense. He also wanted to reform hacking prosecutions, currently guided by the sweeping Computer Fraud and Abuse Act, and prohibit built-in government back doors for spying in tech products, which Stamos thought would cripple American companies as other countries turned away. And like former White House cybersecurity advisor Richard Clarke, he wanted a more robust White House process for deciding what software flaws to hoard for offense and which to disclose for defense. At Facebook, Stamos was quietly helping with special counsel Robert Mueller’s investigation into Russian meddling during the 2016 election.
Adam figured Stamos would want to support tonight’s candidate because of his technological philosophy and the potential significance of the race to the future of the country. There were deeper reasons as well, including a chance to pay a sort of cosmic Silicon Valley penance. The candidate was Beto O’Rourke, a Democrat who was hoping to emerge from the primary and face Republican Ted Cruz in November for a Texas seat in the US Senate. Cruz was the heavy favorite against pretty much anyone. No Democrat had won a statewide Texas vote since 1994, and Cruz was one of the best-known and best-funded members of the Senate, the Republican runner-up when Trump won the national primaries in 2016. But Cruz also had a special resonance for anyone deeply informed about Facebook, the Mueller probe, or both, as Stamos was. Cruz once had been the top political client of Cambridge Analytica, which had siphoned off Facebook data on as many as 87 million mostly unwitting users as it coached Cruz, and then Trump, on how to target them with effective ads. Looking at the full electoral picture, Republicans held a slim Senate majority, and flipping just two seats would allow Democrats to block automatic approval for Trump’s Supreme Court and cabinet picks and, if necessary, protect Mueller’s probe.
It wasn’t just those who had failed to supervise the mindless algorithms at Facebook, Twitter, and YouTube who had something to regret after the 2016 election. The Cult of the Dead Cow had amends to make as well. It had turned the creativity and antiestablishment antics of the hacking world against the mainstream media, hustling national television and print outlets for fun and to raise awareness of various issues. A side group cDc called the Ninja Strike Force, created in innocence but later left unsupervised, had deteriorated and recently attracted race-baiting provocateurs who adopted cDc’s methods but not its message. A few latter-day members stirred up hate on social media and promoted the technologist behind the biggest neo-Nazi publications, which actively supported Trump.
After a few words from Adam and Stamos, O’Rourke spoke to the group. He had run a small software company and alternative publication before winning an underdog race for city council and another for Congress, where he was serving his third and final two-year term. Slim and six-foot-four, he wore an open-collared shirt and a blue suit as he explained that he had decided to run on the night Trump was elected president. He and his wife, Amy, had been trying to decide what to tell their three children in the morning, and what they would tell them in later years. “What did we do? How did we account for ourselves?” O’Rourke recalled the conversation. He would have to stand down as a representative to appear on the ballot for the Senate, but O’Rourke had decided it was worth the risk. He had been driving to every county in Texas, his campaign was gaining real momentum, and he thought he had a chance. Education, access to health care, and jobs were more important, he said, than blue or red, and the willingness of voters to install someone who would “blow up the system,” like Trump, could be harnessed. The biggest challenge was getting people to the polls.
It helped, O’Rourke said, that Texans hate phonies, so he didn’t hide that he opposed Trump’s planned border wall, thought Trump should be impeached, and supported abortion rights, the legalization of marijuana, and gun control, as did most Bay Area tech workers. He was already fighting in the House to overrule Trump’s Federal Communications Commission and restore net neutrality, which kept internet access providers from favoring some content over others. O’Rourke didn’t have to contrast his frankness with Cruz’s flexibility. Everyone there knew the incumbent had declined to endorse candidate Trump after he attacked Cruz’s wife’s looks and suggested Cruz’s father had been involved in John F. Kennedy’s assassination, before Cruz rolled into line anyway. “We’ve just owned everything that we are about and believe in,” O’Rourke said. Declining money from political action committees hurt, but Adam and Stamos’s fundraiser helped. Several who attended it went on to hold their own fundraising parties in a chain reaction. Across the country in Boston, cDc stalwart Sam Anthony, a Harvard doctoral candidate working to make self-driving cars safer, held a fundraiser for O’Rourke that likewise inspired additional East Coast donations.
Though many others would also gravitate toward helping O’Rourke as he gained steam, won the 2018 primary, and drew almost even with Cruz in the polls, the early support in San Francisco and Boston was fitting. Those two cities had the most cDc members. And, as it happened, the group had had its start in O’Rourke’s home state of Texas.
> CHAPTER 2
> TEXAS T-FILES
LIKE MANY OF the internet’s earliest adopters, Kevin Wheeler willingly struggled to master the new and clunky medium out of a deep need for human connection. The nerdy son of a university administrator and a music teacher had enjoyed a group of similar friends in Kent, Ohio, where they played Dungeons & Dragons. But then the family moved to Lubbock, Texas, in 1983, and the thirteen-year-old had the culture shock of his life.
It was bad enough just being a rebellious teenager in the heart of the Reagan Republican era. But now, at his new junior high school, Kevin was lost among the culturally conservative evangelicals whose idea of a rebel was hometown hero Buddy Holly. Kevin tried to talk to the rich kids, but they were snobby and mean. He tried the poor kids, and they shocked him, trading tales of sex and drugs. But they let him sit with them, so he stayed.
A couple of other kids had parents working at the big Texas Instruments plant and were also technologically inclined. Others started paying attention to what could happen with computers after seeing the movie War Games, which came out the year Kevin arrived in town. The film depicted teenager Matthew Broderick dialing out randomly through a clunky gadget called a modem that sat between his computer and his home phone line. Broderick’s character accidentally tapped into a military supercomputer. The budding hackers of Lubbock weren’t looking for trouble either. A couple of the older kids had set up electronic forums known as bulletin boards, where strangers, using modems to call in over regular phone lines, could read or leave messages and text files, which the locals also called t-files. Widespread use of web browsers was still a dozen years away.
Kevin had put in two years on his Apple II by the time he moved to Lubbock, so he found the local bulletin boards in short order. There weren’t a lot in his 806 area code, and most were run by hobbyists talking about computers. Some older teenagers had one that was more freewheeling, and Kevin and a group of friends chatted there for a while, until the bigger kids got tired of the hangers-on and banned them. Kevin was indignant. “We have to make our own and truly be elite,” he told friends. Kevin and the others started several boards and filled them with text files on heavy metal and parodies of Star Wars and other pop culture topics, as well as satires of the more serious bulletin board operators and swaggering hackers. The boards cross-referenced each other’s titles and phone numbers and banded together under the name Pan-Galactic Entropy.
To dial interesting bulletin boards outside the area code meant hefty long-distance charges on the home phone bill. Anyone without rich and forgiving parents needed someone else’s credit card, or a five-digit code from a long-distance company like MCI, or some actual hacking ability. The easiest of those to come by was a five-digit code, which could be cracked by hand with repeated trial and error by those who were truly dedicated. The winning digits spread like hot gossip in the school lunchroom and by bulletin board postings at night. That worked until too many people used them and MCI noticed and revoked the number, which would usually take about a month. Then a new one would be discovered and passed around.
If you spent enough time at it, you could find a bulletin board with just your kind of content and just your kind of attitude. Most boards let you download what they had and repost it on your own board, if you had a modem that was fast enough or that you could let run all night to digest a big file—that is, if nobody needed to make a regular call, so you could stay connected. Kevin’s parents didn’t seem to mind his occupying the phone line and staying up late downloading files.
Like many his age, Kevin hunted for new programs he could run on his Apple, which meant obtaining and trading “cracked” versions with the digital controls limiting usage removed, known as warez. But reading and soon writing text files were what Kevin cared most about. It was a creative outlet for him, and he had an audience. He wanted his text files to be funny, or at least provocative, so he could connect to other kids who got the same jokes. After a 1985 summer job at a computer store brought in enough money for Kevin to buy a $715 hard drive, he launched his own bulletin board, Demon Roach Underground. One of the first files to go up was Kevin’s nonsense riff on the established genre of subversive files with material like that in the printed tome The Anarchist’s Cookbook, which gave instructions on most things dangerous and illegal.
Kevin’s offering was “Gerbil Feed Bomb,” and it used numbered instructions and advised readers to, among other things, grind pet food pellets up, pour the grains into a glass jar, and dump them out again. Then they were to pour gas into the jar, light a fuse, and run away screaming. It was passable juvenile humor. But while it made fun of anarchist credos, it also mocked the police who would respond to the explosion: “The police are your friends!” And it talked about how much fun it was to whack a bag of pet food with a bat and pretend it was Republican first lady Nancy Reagan, inventor of the “Just Say No” antidrug campaign. Kevin himself was never interested in drugs or even beer, but that didn’t mean the Reagans didn’t deserve to be mocked.
Online, everyone needed a handle. Kevin picked Swamp Rat because he loved playing in the marsh near his home. The nickname soon evolved to the more distinguished Swamp Ratte and eventually to Grandmaster Ratte. One of his earliest online cohorts took the unoriginal name Sid Vicious after the most pathetic, drug-addicted member of one of the first punk bands, the Sex Pistols. In reality, Sid was an eighth grader named Brandon Brewer who lived in the nearby town of Friendship. Unlike the pale and reclusive Kevin, Brandon played sports. But he and his older brother Ty, known as Graphic Violence, also ran a bulletin board called KGB, after the Soviet spy agency. It hosted real bomb-making instructions, among other things. But it also kept the brothers from getting drunk and getting in trouble outside their house. Kevin later told a friend that KGB “had some nutty retardo sex & violence stuff and some kinda phreaking thing about MCI,” referring to the telephonic equivalent of computer hacking.
Brandon had more technological ambition than Kevin. He went dumpster diving outside big company offices, looking for anything that would help him break electronically into those businesses. He also used “blue boxes,” which were prime devices for phreaking. They emitted tones over phone lines to rig free long-distance calls. A favorite game was to keep transferring calls to stations farther along in the same direction, eventually circumnavigating the world to ring a second phone in his own house. Such phone tricks were still easier than programming, though the great transition was coming soon. When the Brewer boys got new software for their computer, it still had to be keyed in by hand. One would dictate a line of code while the other one typed. When their fingers grew sore, they switched.
Brandon and Kevin didn’t want to seem as menacing as the serious hackers, the ones who might go to jail. “In our circle, there was nothing malicious; you never went in there trying to harm somebody’s system,” Brandon said. “It was all about getting through the wall.” Still, they wanted to be taken seriously. And the name Pan-Galactic Entropy didn’t sound menacing enough to be cool. It was too Hitchhiker’s Guide nerdy. They kicked around possible new names for their effort to tie together their small community of bulletin boards and writing and decided that something with the word cult
- "Long before there was a multi-billion dollar cyber industry, there were some ethical hackers who showed us that the Silicon Valley emperors had no clothes. They looked like misfits, but they showed us how insecure the Internet was and how to make it better. Joe Menn makes this previously untold story entertaining and relevant to today's cyber threats."—Richard A. Clarke, first White House "Cyber Czar"
- "Cult of the Dead Cow is an exhilarating and essential look into a part of the hacker underground that has shaped the modern world in profound ways. Readers will be amazed by this crew of eccentric, impassioned geniuses who have so often served as the Internet's conscience while lurking unknown in the shadows. The depth of Joe Menn's reporting is as astonishing as his storytelling - no one could have captured this tale better."—Ashlee Vance, author of Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic Future
- "Cult of the Dead Cow reveals a story few know about the origins of white hat hacking and the heroes it celebrates. Despite the title, hacking isn't dead yet!"—Vint Cerf, co-inventor of the Internet
- "This dramatic story of how the Internet's first hackers learned to handle their outsized abilities can help us grapple to control the power of today's technology titans."—Bruce Schneier, Harvard fellow and lecturer and author of Click Here to Kill Somebody
- "The author narrates a fast-paced story about how a little-known movement that could trace its roots to the psychedelic rock of the 1960s-one visionary was the son of the Jefferson Airplane's drummer, while another was a lyricist for the Grateful Dead-would eventually serve as security advisory for the Pentagon, the cybernetics industry, and geopolitical forces around the globe... A quick tale of black hats and white hats, with a lot of gray area in between."—Kirkus Reviews
- "An invaluable resource. The tale of this small but influential group is a hugely important piece of the puzzle for anyone who wants to understand the forces shaping the internet age."—New York Times Book Review
- On Sale
- Jun 4, 2019
- Hachette Audio