Security Outliers Series: 5 Questions with Author Joseph Menn

When I was a reporter covering the nascent security industry in the mid-1990s I realized that the standard hacker-as-bogeyman narrative that dominated the news was inaccurate and counterproductive. It was an oversimplification that allowed software companies to shirk responsibility for securing their products and gave law enforcement a new enemy to fight. But the broad brush covered many hackers — including those now recognized as security researchers — whose efforts forced the industry to take security seriously in the face of real threats from cybercriminals and nation-state actors. 

Much like the free thinkers in art, music and philosophy who congregated on the Left Bank in Paris in the 1940s, these hackers were revolutionaries who challenged the norms in their field. Many of them gravitated to two early hacking groups — Cult of the Dead Cow (cDc) and L0pht Heavy Industries. The work of these hackers is finally being properly recognized in a new book that reveals the true extent of their efforts to protect people, both online and in the real world, and has implications for the ethical quandaries of tech companies today. Below is my email interview with Joseph Menn, long-time reporter for Reuters and other news organizations and author of “Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World.” 

Elinor Mills: Why did you write this book?

Joseph Menn: My previous book, “Fatal System Error,” had a fun story that ended with bad guys in Russia going to jail. But the real point of the thing was just how dire the West’s situation is with regard to cybersecurity, for multiple reasons: geopolitics, the failure of the security marketplace to effect real change, and regulatory stalemate among them. Since then, other books have shined lights on or another aspect of the problem, and I think people have now gotten the idea. For this book, I thought it would be much more useful to point to something positive–something that has really worked to improve things, and that others could emulate.

EM: So, how will they save the world?

JM: Mudge (aka Peiter Zatko) figured out a way for the government to tap into the work of brilliant individual hackers. DilDog (Chris Rioux) gave companies the ability to see what the software they bought was actually doing. Oxblood Ruffin (Laird Brown) convinced at first hundreds, and by now thousands, of programmers that they could protect people with “hacktivism.” All of those things are tremendous. But what will make all the difference is how many people come to believe they have the same responsibilities and abilities, perhaps especially people inside the largest and most powerful tech companies.

EM: You had a big scoop in there — Beto O’Rourke being in the cDc. How did you uncover that and manage to keep it secret until he announced his presidential candidacy?

Cult of the Dead Cow hackers Adam O’Donnell and Beto O’Rourke, and cybersecurity expert and serial CSO Alex Stamos

JM: When I committed to writing the book I knew there was a member of Congress who had been in the cDc. After O’Rourke began running for Senate from Texas in 2018, I saw stories that said he had been in a punk band and had started a software company. My sources in the cDc would not confirm or deny my guess. I then told them that the book would not publish until after the election and that I would honor an embargo until November, which is not unusual for books that touch on campaigns. They agreed and confirmed it, and then O’Rourke did as well. As for it remaining secret for a few months after that, the biggest factor was that the majority of cDc was by then rooting for the book to do well, and they knew that letting the news come out through someone else and way ahead of time would detract from my effort.

EM: I was surprised to learn that seemingly anti-authority cDc members would end up working with intelligence agencies? How did that happen?

JM: It was fascinating to learn how the various moral codes in the hacker community developed when it was all quite raw. Cooperating with law enforcement was seen as a major mistake. But the intelligence agencies were treated differently. Still, not all of the cDc would have worked with the agencies, and those who did cited multiple factors. One was that it would be handy, in the event of an arrest, to have generals show up as character witnesses. Another was that the agencies were genuinely trying to learn what was feasible with technology in order to defend the country, and no one in the cDc was pulling for China or Russia.

EM: A lot of cDc members went on to become big shots in the security industry, starting their own companies, working for DARPA, heading up security teams at Apple, Google, etc. What was it about this group that fostered that kind of extraordinary success?

JM: A few things. They were early adopters and extremely bright, the brightest group of people I have ever run into. They cared about a lot of issues and thought hard about them without rigid preconceptions. And they shared core values while coming from varied backgrounds. A group effort by people like that can have a tremendous impact, both directly and by inspiration.

Stay tuned for more interviews as part of our Security Outliers series. Thank you to Joseph Menn for kicking us off. “Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World” is now available and you can follow Joseph on Twitter at @JosephMenn.