Live From Black Hat USA: Making Big Things Better the Dead Cow Way

When Reuters’ investigative reporter Joseph Menn confirmed that presidential candidate Beto O’Rourke was an early member of The Cult of the Dead Cow (cDc), it seemed as though folks had two viewpoints on it. They either had more respect for him because they understood what cDc was trying to accomplish, or they were relatively horrified because “hackers are bad.” It’s easy to fear what we don’t understand, and what is often shed in a bad light.

In InfoSec, we know and understand that hackers are not inherently bad. Many of them are hactivists looking to make positive change in the world. During the Black Hat panel discussion, “Making Big Things Better the Dead Cow Way,” Menn talked about how O’Rourke was 14 or 15 years old when he joined the cDc and left before the organization grew in notoriety, and that he interviewed a neo-Nazi in Texas and proceeded to let him hang himself with his own words. Even at that young age, he was all about diversity and engagement, especially within the cDc.

Mudge Zatko, a prominent member of L0pht and the cDc, who went on to be a program manager at DARPA, shared what he thought stood out most about O’Rourke, saying, “You can form groups online, but when you get together and meet the person, are they who you thought? You met [Beto] and he was a very friendly guy.”

This story matters because in order to make change, you have to understand where your power and influence lie to have the best results. For O’Rourke, that looks like running for president. For the cDc, it was acknowledging that hackers have power and influence. With the understanding that computers and encryption could be leveraged to help human rights efforts, the group made a more public move toward hactivism.

“What can you do to make the world a better place? How do we leverage this power? Use that to go through the media, and hopefully through some sort of technology, but especially through our connections to the media and use the influence of our long history,” said Mudge.

While Veracode co-founder Christien Rioux, or Dildog, opted to work with the private sector to tackle issues of security at a wide-scale by creating the technology that would become static binary analysis and Veracode, there are many who opt to take more of a hactivist approach. As with anything else, there are varying views on what hactivism is and what it isn’t – which parallels with debates about what human rights truly encompasses.

“What is your definition of human rights? Just governmental interaction because of civil liberties, or is it applicable to private organizations,” asks Luke Benfey (aka Deth Veggie). “Some believe it is and some believe it isn't. There are philosophical disagreements about what is ethically valid. Some believe that DDOS or web defacement is not applicable as legitimate means of protest, and others believe it is a legitimate means of protest. These are things that are still going on, and I don't necessarily think that the kinds of hactivism have changed radically, so much as scale has changed; the Internet and access to it has spread much more widely around the world.”

With broader access comes broader awareness and even broader responsibility: once something is seen it can’t be unseen. While we certainly see malicious cyberattacks making headlines, a lot of good is being done by the hacktivist community as well. Just look to discussions around coordinated disclosure and the ways in which security researchers are working with private and public organizations to make them – and all of us – safer.

If you’re looking for something to do, and want real proof of the cDc’s hacktivist ethos, we were told that if you search the former Yugoslavia website for cDc in the case files pertaining to former Yugoslav president Slobodan Milosevic’s trial for war crimes, you’ll see that they pop up a lot for their work helping prosecutors.

Or you could just watch this video Q&A where Veracode Co-Founder Chris Wysopal (@WeldPond) interviews Menn, Rioux, and Deth Veggie about the cDc and Menn’s book, “Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World” at this year’s Black Hat.