Two decades ago, the legendary hacking group Cult of the Dead Cow released a piece of software which helped change the way the world thinks about information security. Reid Fleming (cDc) – cDc member Mudge, a.k.a. Peiter Zatko, prepares for the show.
Emma Best JUN—05—2019 01:30PM EST
The Cult of the Dead Cow (cDc), a hacker group founded in Lubbock, Texas in 1984, paved the way for a generation of hacktivists, making members into celebrities within the hacking community. In 1999, the group took the stage at the seventh annual DEFCON hacker convention in Las Vegas to announce the release of BackOrifice 2000 (BO2K), which could be used — for good or ill — to gain control over powerful computers running Windows operating systems. Yesterday, the group released behind the scenes footage showing not just the legendary presentation itself, but the lead-up to an event that would have a permanent effect on the infosec community, as well as FBI documents obtained by Freedom of Information Act request which show that the cDc’s previous software releases had earned them the attention of the FBI.
The group aimed to force Microsoft, at the time the most powerful computer company in the industry, to improve its network security, and wanted to provide the world with a powerful, legitimate, and free to use remote administration tool. The Bureau, however, saw BO2K — which, if used by IT professionals needing to access their network’s computers their own device, essentially served the same purpose as products that Microsoft itself sold — as a “virus” that could be used to attack military and corporate computers. To the FBI and Microsoft, the problem wasn’t that the insecurities in Windows existed – it was that they could no longer ignore them. “Our position is that Windows is a fundamentally broken product,” he told reporter Julian Borger in an interview with The Guardian. To an older generation of hackers, BO2K and its legendary release are a seminal moment in hacker history, one which the public can now experience through the eyes of cDc.
At the previous year’s DEFCON, cDc had released the original Back Orifice, which took its name from Microsoft’s BackOffice server and allowed users to remotely access personal computers running Windows 95 or 98. At the time, the information security industry was bound by a sense of inertia, with companies such as McAfee focused less on creating software that addressed newly discovered issues with Windows and instead on marketing campaigns that depicted computer viruses as abstractions that could only be solved through literal magic. Meanwhile, Microsoft’s proprietary remote administration software, SMS, was expensive, rigid, and functionally no different from many hacking tools. “One of the reasons Back Orifice is so nasty is that Microsoft doesn’t design its operating systems to be secure. It never has,” security expert Bruce Schneier told CNN in 1999.
“Don’t worry, ‘cause everything’s gonna BO2K,” cDc’s Deth Veggie told the crowd as the presentation shifted to the hacker known as DilDog, one of the primary developers of BO2K, to explain the highly anticipated new software. While the uninitiated might have expected a typical DEFCON talk or presentation, cDc was there to create spectacle. The group planned a show with music and strobe lights, during which a member named Mudge shredded on an electric guitar. They were going to “show some control,” not just introducing the world to BO2K, but irrefutably demonstrating the weakness of Microsoft Windows.
cDc knew that their best chance of conveying their message was the DEFCON presentation itself. The newly released behind the scenes footage shows them preparing an impressive selection of lights and music for show. They would throw out glowing buttons as they walked to the stage. As the group put it, people were going to “have to sit through a sermon” to get to the show. It was not an opportunity they intended to waste.
cDc live at DEFCON 7 Reid Fleming (cDc)
The group saw a hypocrisy in the way Back Orifice had been represented by both media and Microsoft itself, as well as how they anticipated that BO2K would be represented, which the group was keen to highlight in their DEFCON presentation. “A lot of those other tools out there, [such as Microsoft’s SMS], have modes that can be installed surreptitiously and run without the user noticing,” DilDog said during the talk. “It sounds kind of fishy, doesn’t it?” Simply put, the group’s view was that the only difference between their remote administration tool and Microsoft’s was that Microsoft was Microsoft and they were, well, the Cult of the Dead Cow.
The group also had a message for the burgeoning hacktivists in the audience. “A lot of you kids out there, you go out there and you’re like: ‘Yeah man, I’m gonna hack the website for some bumfuck ISP and save Tibet,’” cDc’s Tweety Fish told the crowd. “I’m not gonna tell you that web page hacks for a political point are wong, but pick the cause before you pick the site you’re gonna hack. Make it a little relevant! If you can think of a way to use your hacking skills to make a difference, that’s the fucking future. That is going to change the world.” Flame wars and pointless defacements, the group warned, would not.
The newly released footage highlights that the earnestness that cDc showed in the press wasn’t simply an exercise in PR. “What [Microsoft is] saying about [Windows security]” Deth Veggie claimed, was “akin to Ford in the 1970s telling Pinto owners, ‘You’ll be fine as long as you make sure nobody rear-ends you. Ever.’” cDc’s mission, he said, was to break the company’s “mentality of insecurity.”
Deth Veggie makes the Pinto comparison in the foreground while NIGHTSTALKER listens in the background. Reid Fleming (cDc)
Today, Deth Veggie recognizes that cDc’s hope that the existence of BO2K would make a point to Microsoft may have been naive. He told The Outline via text message that “in hindsight it was probably idealistic of us to think that we could have made a multi-gazillion dollar juggernaut fix their shit as opposed to just trying to PR spin their way out of the problem.”
But the risk went well beyond a simple PR nightmare for cDc members. According to a statement released by the group alongside the footage, since “BO2K’s architecture allowed for encryption plugins (for example, it shipped with a 3DES plugin), cDc members ran the very real risk of being charged with violating federal export regulations. In fact, cDc’s legal counsel specifically warned that the government had an unpredictable history of such prosecutions.” Even the legal danger the group placed itself in arguably helped point out governmental hypocrisy: By the late ’90s, strong encryption had become more and more necessary to prevent internet users from hacking attacks, but such anti-export statutes, which were meant to prohibit the release of encryption technology to hostile governments, actually kept such tools out of the hands of individuals who were vulnerable to cyberattacks.
The documents members of cDc obtained via FOIA request in 2014 from the FBI show that the group was under active investigation at the time of the release, specifically for their connection to the software. Following the release of the original Back Orifice, the FBI spoke to representatives of the Internet service provider Mindspring, who reported that some clients’ computers had been infected by people taking advantage of the access provided by the Back Orifice software.
FBI / FOIA
The FBI acknowledged that cDc characterized Back Orifice as a remote administration tool, but nevertheless went on to write that “the information released with BO clearly indicates that BO is a hacker tool.” The documents imply that they believed cDc was behind attacks such as the ones against Mindspring subscribers, as opposed to the 300,000-plus people who had deliberately downloaded the software. (The original release notes for Back Orifice list legitimate uses for the software such as encrypted file transfer, system monitoring and in-depth system administration, and the group denied involvement with the Mindspring breaches beyond their release of BO.)
FBI / FOIA
Despite cDc’s intentions, the FBI assumed the worst. The FBI’s inquiry into the group pointed to the software’s open source nature and easy customization through plug-ins as a potential information security threat, fearing that malicious actors would use this to weaponize the software. The FBI Director sent pages of memos to all of the FBI’s field offices on the potential threat posed by BO2K, large portions of which are redacted in the released documents. Attached to one of the memos is an unredacted nationwide warning to all field offices and “appropriate [Department of Defense] facilities.”
FBI / FOIA
The FBI noted BO2K allowed remote control of servers in addition to home computers, making major corporations, the government, and the military all vulnerable to attack, recommending that such “commonly targeted groups” take steps to “aggressively review and monitor comprehensive security measures to protect against the kind of exploits caused or supported by Back Orifice 2000.” Which, in a sense, was what the cDc was trying to get everyone to do all along.
Ultimately unable to find evidence of a crime in their jurisdiction, the Bureau’s Atlanta division simply noted the software existed and closed the investigation. While the Bureau was unable to bring charges against cDc, Microsoft was ready to attack cDc and BO2K, claiming that the software “is designed to be stealthy and evade detection by the user.” However, the cat was out of the bag. In the two decades after the release of BackOrifice 2000, Windows continued to have serious security issues, exploitable by hackers, criminals, and even the NSA, who developed a set of hacking tools that were leaked to the public in 2017. What has mitigated these security concerns hasn’t been Microsoft’s actions, but instead a transition away from hyperextensible operating systems such as Windows and towards closed sandboxes such as Apple’s OSX. While cDc may have lost the battle by failing to cause immediate change, they were on the right side of history, and their point has been proven for them by years of fallout.
The Cult of the Dead Cow also recently made headlines when it was revealed that Presidential candidate Beto O’Rourke had been a member of the hacktivist group, writing blog posts on the cDc site under the name Psychedelic Warlord (some of his old cDc posts can still be read online). In the years since cDc’s heyday, members like Peiter Zatko (then known as Mudge) have gone on to high-profile positions with Google and DARPA, and the group’s exploits were recently chronicled in Joseph Menn’s book Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World.
For cDc’s members, the footage is a trip down memory lane. “I would have preferred more cockfighting,” joked the group’s Krass Katt in a press release, “but the old footage is still pretty cool.” He continued, “Everyone seems so young and lifelike. It was also fun seeing our old pals (who have since passed away) THE NIGHTSTALKER, a former CIA contractor, and [frequent cDc poster] Tequila Willy, who ran for president a few times before that Beto guy.”
BO2K highlighted the security vulnerabilities that Microsoft had let fester in different versions of its Windows operating systems. These vulnerabilities could be used to allow people to use computers without being tethered to the physical device, or to allow people to abuse the computers by seizing control of them remotely. BO2K also challenged Microsoft’s hegemony over the tools that exploited these vulnerabilities by giving users a free alternative, in the process demonstrating that creating an environment of good computer security was worth risking jail.
The entirety of the newly released footage can be viewed below.