> CHAPTER 6
> ONE MILLION DOLLARS AND A MONSTER TRUCK
AS THE L0PHT and the Cult of the Dead Cow attracted more technologically advanced members, some of the earlier guiding forces faded to the background. Fringe culture fan and cDc cofounder Bill Brown stayed loosely in touch through art college and as he began working on experimental documentary films, some of which landed in major museums. Then he saw cDc become part of the mainstream news. Good for society, he figured, but less of a fit for him. “It is exactly when cDc becomes interesting that I became less interested in it,” Bill said. cDc now included the elite of the hacking world, even though its earliest text files had mocked such people as exclusionary showboats. “It became more and more like the thing it was supposed to be pranking about.”
Kevin Wheeler sympathized. As the group discussed possible new members in 1999, he lamented: “These guys are all tech guys. Where’s the cDc skateboarding team? Why are there no porn stars in cDc? No guys into scary militias and a compound in Montana? Why are we 95% white males?” It was true, cDc was getting less countercultural and less strange. The new tech talent attracted more like themselves—highly educated, curious technologists with a skeptical view of the world. The final crossover member of both the L0pht and cDc was especially that. Christien Rioux’s father was a musicology professor in Lewiston, Maine, who brought home programming books as he grappled with software for processing music. Like Mudge, Christien learned to break protections around the childhood computer games in order to keep playing them. The family moved to Monmouth to get Christien into a public-school program for gifted kids. Even so, he skipped eighth grade and spent his senior year of high school at Bates College. Bates had access to Internet Relay Chat and Usenet, and he found cDc text files there in 1992. He was admitted to MIT in 1994, at age sixteen, on a full scholarship.
For someone who had always been the cleverest kid around and had never been to Boston, Christien had a lot to take in. Academically, Christien appreciated that MIT had stopped issuing grades to freshmen after too many suicides. There were parties with other bright kids every Friday, and the newcomer became social chair of his frat. Christien also took responsibility for connecting the frat to the university network, and he closely tracked how the net was developing. He was thinking of himself as a computer game programmer when he read papers by Mudge and others about finding software flaws that could be exploited, and he became entranced with the idea. Among the more promising classes of screwups in programming was a failure to stop what were called buffer overflows. If the coder did not properly limit the amount of data that could be taken into a buffered area of memory, a hacker could enter too much and overflow it, making the excess data delete something in nearby storage. In some cases, that would allow the hacker to take control of the machine. Buffer overflows had been found in a number of high-performance systems, though not the early versions of Windows. Christien found an overflow in Internet Explorer 4, the browser that Microsoft improperly bundled with Windows in 1997 in order to beat pioneer Netscape.
Christien excitedly wrote up his finding for 2600, which declined to publish it. So he took his printouts to a 2600 meeting at the Prudential Center, hoping to impress the L0pht guys. It worked, and they published an advisory about IE4 under Christien’s new handle: Dildog, after the Dilbert comic’s initial name for the dog character, Dogbert. Microsoft emailed and calmly asked that in the future, the L0pht hold off publishing details of security flaws until a patch was ready. “Maybe that’s not a bad idea,” Chris Wysopal said. Before that, if companies had complained about being taken by surprise, the L0pht had given a canned response about caring for the users, not the vendors, Christien said. But he found it hard to argue that most users wouldn’t be in better shape when a patch was out. So the group began negotiating with Microsoft and other companies. It would offer a month’s notice before going public, while the companies asked for more time. Often they reached a compromise in the middle, and the current standard of coordinated disclosure began. Reading the disclosures made it easier for malicious hackers to learn most of what they needed to launch an attack based on the flaws, but everyone who patched right away would be safe. Without the disclosures, only the hackers who took the effort to reverse engineer the patches would have been able to launch the attacks, but there would have been less public awareness of the problems. Mudge and Wysopal, who wrote many of the advisories, became the most visible and articulate explainers of the researchers’ side. “I wanted the L0pht to be Consumer Reports and Rachel Carson and Ralph Nader,” Mudge said. “That was my vision.”
Despite his youth, the group took Christien along for hangout sessions at New Hack City, home to the cDc servers. Mudge impressed him while playing quarters by rolling the coins off his nose before they bounced into a beer glass. As an MIT junior, Christien took a class on social issues in computing that turned out to be mostly about security. An early assignment was to look into buffer overflows, and the instructor put up a slide of one attributed to Dildog. “This is going to be much easier than I thought,” Christien said to himself. The L0pht invited him to join in late 1998, after Christien graduated, and it used money from the sale of its security tools to pay him to write the next version of its best-known program, the L0phtCrack password breaker. It was a major improvement, brought in almost $500,000, and prompted the squad to make Christien their first full-time employee. “The point of L0phtCrack was to get everyone out of their day jobs,” he said.
By the time Wysopal brought Christien in, the L0pht was already famous. Wired and the Washington Post had written about it, as the advisories and tools drew attention to the downside of marketing-driven technology companies with no legal liability and little market punishment for the insecurity of their products. No one else had enough of an incentive to point out the emperor’s lack of clothes.
Inside Microsoft’s biggest customer, the federal government, Richard Clarke was getting nervous. Nobody seemed to be talking about the risks of hacking. A counterterrorism expert on the first President Bush’s National Security Council, Clarke was named the NSC’s national coordinator for security, infrastructure protection, and counterterrorism by President Bill Clinton in 1998.
Everything important in the country ran on software, most of it procured on the open market, and yet Clarke kept reading about hackers having their way with it. Surely rival governments could be doing that in America as well. Clarke’s suspicions intensified after the war game exercise Eligible Receiver was run by the Defense Department in 1997. An NSA red team, tasked with breaking into Pentagon networks, ran roughshod over them using only conventional tools. Clarke didn’t know it at the time, but Moscow was already doing the same thing for real in an operation later discovered and dubbed Moonlight Maze. The success of Eligible Receiver prompted the Defense Department to set up the Joint Task Force–Computer Network Defense, which would work on behalf of all branches of the military.
Yet the leaders of the NSA were still telling Clarke there wasn’t much to worry about. He met with the CEOs of Microsoft, networking king Cisco, and database giant Oracle, and they said the same thing. “They were all telling me their shit didn’t stink, and I had a hard time reconciling the fact that Oracle and Microsoft and Cisco were all perfect with the fact that all these hacks were occurring,” Clarke said. “It seemed obvious I needed to talk to the people doing the hacking. But they [were] probably criminals, so I asked, are there people like that who are not criminals?” Clarke talked to an FBI official who had transferred from the Boston office. “He called back a few days later, said the Boston office knows this group of hackers that they vetted, they think they’re clean, and when they have technical questions they ask them stuff.” Clarke took a crew from the NSC up in early 1998. The L0pht gang suggested a drink at a bar called John Harvard’s, then watched silently to see how many officials were there and how long they would sit before getting up to leave. After an hour, when they finally stood, Mudge said hello.
After beers, the group invited the NSC team back to the L0pht. The men showed off a little of what they were working on. As they were leaving, Clarke huddled with the other officials in the parking lot. A bit spooked, the hackers told Mudge to tell them it was impolite to whisper in their presence. He marched over and did so, demanding to know what the group was discussing. Everyone looked at Clarke, who looked at Mudge frankly. “We were saying we thought all this wouldn’t be possible without some government’s support,” he told the longhair. “Have you gotten any?” No, Mudge replied, then joked: “If you have an offer, we’ll listen.” Clarke paused, then laughed.
Clarke stayed in touch with Mudge afterward. Out of the group, Mudge was especially receptive. Some old-timers in cDc still instinctively disliked the government, or at least some of its laws, such as the ham-handed Computer Fraud and Abuse Act, or certain branches, namely the FBI. But Mudge was among those whose families had been paid by government dollars, and he had worked as a government contractor at BBN. He also felt that everyone should know what he knew. Perhaps the government would still make the wrong calls, he realized. But at least it wouldn’t be out of ignorance. There was one last, less noble reason for playing ball. He was counting on people in the military being able to vouch for him if the FBI got overexcited and suddenly raided the L0pht. “Should I find myself in court with a bunch of L0pht folks, brought up on charges of disturbing the peace or something, I wanted to be able to reach out and have a bunch of people with uniforms and a bunch of medals sitting up there as character witnesses,” Mudge said.
Clarke was quietly preparing an order that would be known as Presidential Decision Directive 63 on critical infrastructure protection, which gave the government more authority to lead on private-sector security measures. For ammunition in the intergovernmental turf battles and to head off complaining from the US Chamber of Commerce, Clarke called on his new ally in Boston, and shortly after, Senator Fred Thompson formally asked the seven current members of the L0pht to testify before Thompson’s committee about threats from hacking. Mudge said they would only do it if they could use their hacker names, which was all that had been public about them up to that point, in order to protect their day jobs. Thompson agreed. The National Security Council had a message they wanted to get out, and this was an opportunity for the L0pht to interact with the government “without us being labeled as criminals,” Mudge said.
Everyone who didn’t already own a suit bought or borrowed one, and they testified in May 1998. Chris Wysopal, Brian Hassick, Joe Grand, and three other members of the L0pht sat with Mudge and his heavy-metal hair in the middle. He was the only one present who was in the Cult of the Dead Cow. Dan MacMillan had moved west, John Lester had been displaced from the L0pht, and future cDc member Christien Rioux wouldn’t join the L0pht for a few more months. “If you’re looking for computer security, then the internet is not the place to be,” Mudge told the senators. “How can we be expected to protect the system and the network when all of the seven individuals seated before you can tear down the foundation that the network was built upon?” The most dramatic claim they made during the testimony was that they could take down the internet in thirty minutes through a problem they had found in the internet’s routing procedure, Border Gateway Protocol. The L0pht had already contacted the relevant manufacturers about the issue, Mudge said later. The senators present were far more alarmed by what they heard from the hackers than they had been by what the military and intelligence brass were saying. “We were a visceral representation of what the adversarial view was,” Wysopal said.
The testimony made the L0pht into the first group of rock-star hackers, and Mudge was the bandleader. But even with cover from the government, he and others in the L0pht, especially the newer and cleaner members like Wysopal and Christien, were nervous about their plans to not just improve the state of security but earn a living in the process. They knew the L0pht couldn’t make things up or throw verbal hand grenades at the government or giant companies.
For that, there was the bad cop, cDc, which played with seeming sinister. Both groups were mad that Microsoft had sidestepped Back Orifice without getting serious about security. It sent two messages: that Back Orifice was not a problem, and that to the extent some users felt it was, they could always just switch to Windows NT or later versions. The only way to fight back was to create a new version of Back Orifice that could beat the new operating system. That would show that Microsoft’s main programs remained fundamentally broken because they did not give users a reliable way to know what was trustworthy on their machines. Christien was the best person to write the 1999 sequel to Back Orifice, and he had been drafted to cDc earlier that year. Though he was being paid by the L0pht at the time, the L0pht could not publish what they decided to call Back Orifice 2000, because that would have tied the L0pht too closely to cDc and therefore to Def Con and costumes and rapping, along with the air of drugs and crime. “BO2k couldn’t have been L0pht, because it already had stank on it,” Mudge said. It had to remain separate from the L0pht to avoid alienating the Richard Clarkes of the world, who were potential L0pht customers and partners. cDc would release BO2k with even more spectacle at Def Con in July 1999 than it had created the year before.
Though Windows NT had been put together much more carefully than Windows 98, the core problem remained. The computer handed off too much control to outside programs that were not signed digitally, or otherwise attested to as authentic, by Microsoft or the vendors of those programs. As a result, it was only a modest challenge for a hacker to get a malicious program running on a Windows machine, then hide the fact that it was there. cDc wanted to warn everyone that Microsoft’s security setup was too complex and that users could be running something dangerous without knowing it. It wanted the company to require customers to verify the source and condition of the outside software, so they could then decide what to trust. “Our position should not be one of Microsoft bashing, but rather of user education,” Christien wrote to the others in the group. Microsoft had screwed up, and it “needs to take responsibility for putting so much power in the hands of the user.”
Christien’s program was dramatically better than Josh Buchbinder’s. Beyond the coding improvements, cDc wanted to settle an argument by Microsoft supporters and some hackers that Back Orifice was unsafe and might contain a back door for cDc, neither of which was true. This time, the group wanted to release the code, to make it open-source. That would prove that there was nothing up cDc’s sleeve. It would also up the stakes by making it easy for hackers to modify it, rendering antivirus programs, which look for identical versions of things previously flagged as bad, far less effective. The Atlanta FBI office warned the Pentagon and other potential targets that the new version would be “potentially more destructive and difficult to eradicate” and that all concerned should “aggressively review and monitor” their security measures. The Defense Department’s Criminal Investigative Service looked into BO2k to help the military develop countermeasures but did not pursue the matter beyond that. There would be more hacking. But that would put more pressure on Microsoft to make deeper fixes to its programs.
As before, cDc drew the line at integrating any additional program that would take advantage of a software flaw to deliver and install the tool. The lack of such an exploit limited the group’s moral culpability, cDc felt. The members were distributing a safecracking tool but not the keys to the vault that held the safe. There was also a risk of legal liability. Courts had by then ruled that code was speech, and therefore almost no regulation could stop it from being written and distributed. But most serious programs also used encryption for communication. In the case of BO2k, the encryption would prevent data that was moving from an infected computer to the hacker’s computer from being intercepted and deciphered. The Clinton administration had continued to clamp down on the export of strong cryptography, over the objection of US-based multinational technology firms. The government likened serious encryption to a weapon, albeit a defensive one, and made it subject to export controls. As is still the case, Washington wanted to maintain its ability to break codes used elsewhere. If strong encryption products go to other countries, that makes it harder. So Uncle Sam has used a variety of regulations to stop or hinder such exports.
Christien did not want to get in trouble with the US government. A lawyer was hired to take a look at the program and make sure they wouldn’t get in export trouble. She advised them to put a little more effort into keeping the program out of enemy hands, at least until some pending court cases over similar issues were resolved. She told them to check whether the downloaders’ Internet Protocol addresses were in the US and to have the locals promise not to transfer the program beyond the border. Those outside the US got a version with less encryption. “The first rule of the activist is to not get caught,” Kevin wrote to the list. “Federal time is bad time.”
In a new experiment, cDc decided to call BO2k a tool for remote administration in its press kit and documentation. In effect, it would be making the argument that the software was the most sophisticated tool for surreptitious electronic break-ins while also being among the best tools ever made for corporate staffers to remotely monitor what was running on office computers and install new programs. While Symantec and Compaq charged more than $100 for remote tools, cDc would offer similar or better capabilities for free, with code the user could examine. If the group pulled it off, it would be dropping the pants of not just Microsoft but also the established security companies, which cDc felt were getting fat on the internet stock-market boom while peddling average products.
The security establishment showed its true colors as launch date neared. Atlanta-based Internet Security Systems, which had first sold stock to the public in 1998, railed against the dangers of the impending BO2k to drum up its own business. But behind the scenes, it was sweet-talking cDc and asking for an advance copy of the program. That way, it could claim to be blocking BO2k before it came out. An ISS intermediary even offered cash, which was a terrible way to approach a group of volunteers who were convinced they had found the moral high ground. “ISS is just flat-out sleazy in a lot of ways,” Mudge said then. cDc exposed the offer and sent a reply it leaked to the press, saying, “We are gladly willing to provide you with the software you desire if and only if you will, on exchange, grant us one million dollars and a monster truck.” Some ISS employees worked in the office through the Def Con weekend, and they sent kids to the show floor to grab a CD and upload it at the first possible moment.
Because cDc wanted maximum impact, it needed maximum press. For that to happen, it had to have a touch of evil, Kevin reasoned, the same way a punk or metal band craved condemnation. “The hip press has to love us and the square press has to hate us for this to work. That’s the eternal conflict in society to play off and ride,” he wrote to the group. “The day [evangelist] Pat Robertson says something positive about cDc is the day we’re over. The conflict, the drama is what makes this interesting and worth writing about.”
The insider appeal helped as well. When the group made jokes only other hackers got, it gave it street credibility and simultaneously impressed the outsiders, who realized cDc resonated with real hackers more than the people in suits did. But Kevin warned the group not to get cocky, reminding them that cDc had started by mocking the Legion of Doom and other self-serious coders. The point was to have fun and be useful. He wrote just before Def Con, “If we fall for our own hype, that’s the same pathetic retard bullshit that useless rock stars and movie stars fall for, when they ‘can’t handle the pressure’ and get some debilitating drug habit or become assholes, ’cause they don’t understand their role in a system.”
When the big day came, the presentation began with electronic music and the recorded voices of a farmer ordering his daughter to put a cow back in the barn and the girl refusing. With lights pulsating on the screen in the darkened room, Kevin rapped rhythmically and paced the stage for more than five minutes. It was the first full rock-and-roll hacker release, complete with stencil spotlights beaming the group’s longhorn symbol. “cDc loves you!” Kevin shouted, and once again led a call-and-response chant: “Dead!” “Cow!” “Kicks!” “Ass!” Even after the house lights came up, he went on, performing a mock faith-healing and calling for amens from the thousands in the audience. Finally exhausted, he asked Sam “Tweety Fish” Anthony to introduce the rest of the nineteen cDc members assembled onstage, by far the most in any one place.
“This is Deth Veggie, you all know him,” Sam began. “The future of programming, Mr. Dildog.” He went through them all, ending with the surprise reappearance of cofounder Bill Brown, wearing an old-fashioned suit. Then Sam said he needed to make two amendments to his year-old exhortation to go out and hack. “Pick a cause” instead of hacking at random. And don’t get caught. Christien then gave a straightforward demo of the core product and some of the available additions, stressing that the code was thoroughly customizable. The crowd repeatedly interrupted him with applause and oohs and aahs after he explained features, like the ability to delve into other machines connected to the target. After he and Josh fielded questions, the lights suddenly went out again. Bill pulled off his tear-away suit from the front, revealing pasties on his chest. Mudge played rapid licks on the guitar and smashed it against an old PC.
Christien had burned advance copies of BO2k onto CDs with a machine owned by Ninja Strike Force member Limor Fried, whom he was dating. Unfortunately, her machine had been infected with a virus known as Chernobyl, which spread to the CDs for the press and those the group brought to Las Vegas to toss to the crowd, which included diving ISS employees. Once hackers at Def Con uploaded it to the net, someone detected the virus and cried foul. cDc once again faced suspicions of hacking fellow hackers. cDc admitted the screwup and apologized. Fortunately, the version available for download from the cDc website was clean all along.
Christien was so young, and had come to cDc so quickly, that he didn’t have connections to criminals like some of the others. When people asked him whether malicious hackers would use his creation for crime, Christien said he didn’t think so. In retrospect, that was implausibly naive. Though far from malicious himself, he said he wasn’t at the pious extreme, either, but a “question-asker. I am not completely white hat, because I wasn’t trying to secure the world, but to raise awareness.”
Kevin’s hometown paper saw nothing but black hats, and Swamp Rat couldn’t have been happier. “We prefer to call it what it is—organized crime and terrorism,” the Lubbock Avalanche-Journal declared in an editorial condemning BO2k. “BO2k is a weapon. It has no useful purpose other than to attack and destroy the property of an individual or corporation. We believe that it is time for an aggressive campaign against organized hacking. We find it disgraceful that a weapon like BO2k can be given an in-your-face public release by CDC without any real fear by the group or its members of being held accountable.” As Kevin recapped it for friends, the paper was “practically calling us godless commies and a threat to the American way of life and their daughters’ virginity. It was fuckin’ beautiful.”
Security companies didn’t go as far as all that, but they generally categorized BO2k as a virus. Finland-based F-Secure noted that it was likely to be used by hackers, especially since the program went to such lengths to run without detection and to avoid being deleted. It kept changing its process identifier and created new processes in case one was killed. The best-known cryptography expert of the era, Bruce Schneier, gave it a qualified thumbs-up. He wrote that it was useful for systems administrators. He also acknowledged that miscreants would love it, since BO2k was “one of the coolest hacking tools ever developed.” Schneier openly addressed the philosophical game that cDc was playing, and he declared it a winner. “Since it is not distributed by a respectable company, it cannot be trusted. Since it was written by hackers, it is evil. Since its malicious uses are talked about more, its benevolent uses are ignored. That’s wrong,” Schneier wrote on his blog. He said that Microsoft security was virtually nonexistent in Windows 95 and 98 and that a user would have to make more than three hundred adjustments from the defaults in Windows NT to make it safe.
Microsoft had created the danger, and “what Back Orifice has done is made mainstream computer users aware of the danger. Maybe the world would have been safer had they not demonstrated the danger so graphically, but I am not sure,” Schneier wrote. “Microsoft only responds to security threats if they are demonstrated. Explain the threat in an academic paper and Microsoft denies it; release a hacking tool like Back Orifice, and suddenly they take the vulnerability seriously.” Some of the most enthusiastic support came from those high up in government and defense contractors. One Lockheed Martin expert wrote to a security mailing list that the fanfare around Back Orifice had prompted him to look into the prevalence of Trojan programs, which allow computer takeovers, and that he had been stunned to find more than ten in quiet circulation. He said the new noise around BO2k was the shock treatment that network administrators needed. “If your security is not strong enough to stop script kiddies with publicly available tools, then you have no hope of securing your network from professionals waging war,” he wrote. “Wake up people, it’s going to get much, much worse.”
In public, Microsoft again pooh-poohed the issues, even after hackers posted videos of themselves taking over strangers’ machines. In private, it panicked once more. An executive asked security worker Rob “Whitey” Beck, a friend of Carrie Campbell, to have her bring in a video of the Def Con presentation. Carrie wanted to help Microsoft do better. So she walked across the street to campus, met the executive, and then gasped as he took the CD she handed him and popped it into his office computer. “Wait,” she said, before he could type “run.” “Do you have a sandboxed machine?” She meant one where a malicious program couldn’t move to other computers. The man stared at her. “You’re not putting that CD into a machine connected to the network, are you?” Sure, he said. “Um, really? Don’t you have a separate box you can put that into?” Another blank look.
“So let me get this right. You have a member of an internationally famous hacker group that just released a tool to help people defeat Microsoft security, sitting in front of you, you don’t know her at all, and you’re putting a homemade CD she handed you directly into your machine? Please tell me you at least are running an antivirus tool against it?” He wasn’t.
All the noise still hadn’t fully penetrated Microsoft. But it had finally gotten through to Microsoft customers, especially banks, who pressed the company to make serious changes or risk losing them all to Linux. After BO2k, Microsoft did more to promote the use of digital signatures that established who was standing behind a program. “File integrity became a big thing” too, Beck said, with software that checked that a program had not been altered. Security budgets rose across the industry as companies spent more on deeper security research and bought firewalls and intrusion-detection systems.
Pulling off feats like the Orifice launches two years in a row cemented cDc’s position in security culture as the internet boom was peaking. In a format later adopted by Reddit for its AMAs, the leading tech-discussion site Slashdot arranged that fall for cDc to answer reader questions under their various handles. Amid a lot of joking and posed crudeness, they articulated quite a few beliefs and goals for security that had many tech-industry readers nodding. They especially wanted software companies to put more thought, effort, and money into user safety and privacy, even if they did not consider themselves to be in the security business. “Make security concerns and security audits an integral part of the development process, rather than an afterthought,” urged Sam. Added Christien: “Encrypt everything. Eliminate HTTP and go right to HTTPS everywhere.” About nineteen years later, Google’s Chrome browser would finally begin warning users who reached HTTP sites that they were “not secure.”
Since they all had day jobs, they laughed off suggestions that they distribute a greatly expanded suite of software, but they actually had more ambition than they let on. They had already begun following a path proposed by the member urging them to use their notoriety for the greatest possible good: Oxblood Ruffin.