Jun 6, 2019

Lessons from history's great hacker groups

The logo for the Cult of the Dead Cow

Illustration: Axios Visuals

The best way to solve today's unprecedented problems in cybersecurity is to learn from the problem-solving hacker groups of the late 80s and 90s, according to Joseph Menn, author of the just-released "Cult of the Dead Cow," a chronicle of one of the most legendary of those groups.

The big picture: The Cult of the Dead Cow (cDc) began as a group of mostly Texans, mostly teenagers, communicating over telephone-based bulletin boards in an era before the web existed, becoming pioneers of hacking in the public interest. Menn's book covers the heyday of the group and some of its contemporaries, including The L0pht and W00W00 (note the zeros in place of Os).

Details: "They were critical thinkers. They didn't give up when the problems were bigger than they thought," Menn told Axios.

  • Menn had access to communications between group members in writing the book, and he explores the group's real-time debates over how best to solve ethical problems they came across.
  • Working on the fly, the cDc and L0pht groups solved some of the fundamental problems of cybersecurity ethics in lasting, practical ways — with an innovative, sometimes dangerous spirit Menn hopes can be applied to today's problems.

So why write about the cDc now? "We need to celebrate the good things that happen in infosec [information security] — there aren't a lot of them — and celebrate the things that can be emulated," said Menn.

  • There are any number of books that cover the looming dangers of cybersecurity — Menn wrote one of them himself.
  • "Since then, there've been a ton of books — we're screwed in this way, we're screwed in that way. I didn’'t want to do that again," he said.

Between the lines: Here's just a sample of the broad impact of cDc, The L0pht and W00W00.

  • Members of cDc went on to run DARPA, and at least one held national office before recently announcing a run for president. Others became the prototypes for the ethical CISO as an ombudsman for the customer. A third group, cited as inspiration for Tor and the Citizen Lab, developed the ethical basis for hacktivism.
  • The L0pht developed the idea of responsible disclosure — disclosing vulnerabilities to a company, giving them the opportunity to fix a security flaw in a product before the researchers publicly released it at a predetermined date. Until responsible disclosure, and the threat of hackers seeing unpatched attack techniques, companies often ignored researchers.
  • cDc released the "Back Orifice" hacking tool in 1998, which marked a turning point in Microsoft starting to take operating system security seriously.
  • W00W00 hackers created Napster, and more recently, WhatsApp.

The bottom line: While factionalized hacker groups similar to those of the 80s and 90s don't exist anymore to take the mantle of the cDc, companies and nonprofits could adopt the same deliberative, ethical approach to problems.

  • "Some things have been lost in terms of these cross-cultural groupings, but there are more avenues. Facebook and Google are hiring ethicists," Menn said. "Companies need to look to cDc."
  • Startups and small organizations have opportunities to start with ethics from the ground up.
  • "It's hard to bolt on morality after the fact," said Menn.
Go deeper