> CHAPTER 5

> BACK ORIFICE

PEITER “MUDGE” ZATKO arrived at Boston’s Berklee College of Music in 1988 to study guitar composition and performance. It was either that or go study technology somewhere else, and back then computer science departments weren’t teaching what he was interested in—how things really worked, as opposed to how they were supposed to work. But his classes during the day were not going to present much of an obstacle to learning what he wanted. Mudge already knew a great deal from experimenting and from the bulletin boards he had been on for years, where he had met Dan MacMillan and others. Once he moved up to Boston from his father’s place in Pennsylvania, Mudge also found the 2600 gatherings and discovered that MIT students were just as interested in using Berklee’s recording studios as he was in using MIT’s lab computers. Bartering solved both problems neatly.

Mudge stood out in many respects, even from oddball hackers. He grew up in the deepest South, where his father, David, taught sophisticated chemistry at the University of Alabama, and he was a full-fledged musical prodigy. His parents started him off carrying a cigar box under his chin at two and a half, Mudge said, to get him used to putting a violin there. By the time he got to Berklee he was practicing five hours a day, a routine he compared to the grueling training of Chinese acrobats. But he was never just about music. David Zatko worked on the government’s space shuttle efforts and brought home computer parts to his toddler.

With a $5,000 bequest from Mudge’s grandfather, the middle-class family bought an Apple II Plus, intending it to be educational. That it was, especially because a nearby store offered software that the buyer could return quickly for a partial refund. That made cracking the copy protection an imperative for Mudge and his father, and it was an early lesson in perverse incentives, a subject that Mudge would one day find himself debating in the Pentagon. Breaking the rights management on Apple software and games like Ultima IV “was our jigsaw puzzle,” Mudge said. “We did that, and we picked locks.”

Before the Computer Fraud and Abuse Act of 1986, and especially before War Games made open networks into overcrowded playgrounds, Mudge roamed far from home. His custom when entering a company’s network was to leave a message announcing himself. Sometimes, the administrator would bark at him to leave. Other times, employees would ask him to avoid a certain area. But most often, no one complained. Given Mudge’s attitude, his skills, and the LoD and MoD members he hung around with, many of his friends believe Mudge did other things that would be harder to defend in the light of day. Officially, he denies having broken the law, even by uploading pirated software to the trading sites he visited. He admits only that he got unwanted attention from the authorities due to his explorations. Others who might know differently could have a tough time proving it was really Mudge they were dealing with. When it came time to fill out forms to apply for a US government security clearance, Mudge’s list of aliases ran for ten pages.

Obviously Mudge had been up to something—so much so, he joked, that when the Chinese stole his and millions of other people’s SF-86 security-clearance applications in 2015, they must have thought they were being trolled: no one with his history could have gotten a clearance. To remind him of the risks of overstepping, Mudge kept a picture above his computers of his friend Byron York, known as Lou Cipher, getting arrested in Texas. Mudge had met York through Dan MacMillan and Jesse Dryden. To Mudge, he was a nice guy who had been through a lot. In the picture, York was face down on the grass, a cop’s knee on his back.

The picture also served to prod Mudge about discretion. At HoHoCon ’92, when he was out on bail, York had told his fellow hackers that he had been set up by a full-time informant who preyed on his circle after one of them admitted to crimes during a meeting of Alcoholics Anonymous. “He badgered us for about six months until we finally said okay, allegedly” to a scheme counterfeiting government checks, York had said. “Entrapment doesn’t apply because he’s not law enforcement.”

The snitch was in the background of the arrest photograph, unmolested. The picture changed offices every time Mudge did, “a constant reminder to never lose track of my moral compass and why I was doing everything, and that it would require constant vigilance to do so,” Mudge said. He developed his own ethical code: He cared about information. He didn’t care who he got it from, including criminals, and he was generous about sharing it, including with government officials. But he would never name names.

After Mudge moved to Pennsylvania as a child, his parents’ bitter divorce left him in control of his own hours. He convinced his suburban public high school that he was an emancipated minor and could excuse his own absences. Mudge preferred to hang around older musicians and hackers, including Robert Osband and others he met through TAP.

Then came Boston, and meeting his fellow hackers in Harvard Square, and after college a trainee slot at BBN Technologies, working with people who helped build the internet. The long-haired Mudge started out in a temporary tech-support job in the supercomputer department, with the promise that he could stay on in another division if it agreed to take him. Instead, he signed on to create the security department. By that point, he had already gotten Dan a job at a different computer company. Over the coming years, he would help Brian Hassick, Chris Wysopal, and several others land jobs at BBN.

Dan took Mudge to visit the L0pht in 1994, and two years later, as the consumer internet was taking over the outside world, he joined. Around that time, the group was moving to a bigger space in a warehouse in Watertown. Mudge immediately started spinning ideas about making the L0pht more sustainable. Instead of just a clubhouse, he thought, it could be a research lab. They could make security tools and sell them, using the money to keep hacking. Eventually, if all went well, they could quit their day jobs and hack whatever struck their fancy.

There was one hitch, the existing members said: cDc’s John Lester, known as Count Zero. He wasn’t interested in turning their hobby into a business, and he felt it would fundamentally change the chemistry of the L0pht. One night, while everyone was together but John, they sent a cowardly email from L0pht cofounder Hassick’s account asking John not to join them in Watertown. At a follow-up dinner with him to discuss it, Mudge did most of the hard talking. His role in John’s departure cemented Mudge’s new position as L0pht front man.

Newly incorporated as L0pht Heavy Industries, the group began releasing tools, including one that originated at Mudge’s day job. He was used to Unix, but BBN was bringing in Windows machines, and Mudge had to handle security on those as well. Looking to test the strength of user passwords, he discovered that Microsoft was chopping up long and strong passwords into two fields of seven characters each, making them far easier to crack. He wrote a guessing tool and asked BBN if they wanted to do anything with it, but the program had a casual, homemade feel to it, and BBN declined. So Mudge brought it home to the L0pht, which put it out as L0phtCrack. Wysopal wrote a second version, adding a graphic user interface, and the L0pht began charging a small amount for it.

The L0pht also released a series of security advisories, warning the public of flaws in a range of software, including Sendmail, Lotus Domino, and Microsoft’s IIS web server. Security consultants took note and customers complained, forcing the product makers to issue fixes. The advisories drew the first wide attention to the L0pht. And within the industry, it crystallized a debate that had been raging behind closed doors for years. Many companies argued it was irresponsible to tell people about flaws in the private software they sold because it taught hackers how to break into customers’ machines. In some cases, software producers even sued researchers for evading the protections on programs they had purchased in order to look inside. But when hackers told only companies of the flaws, the software makers usually ignored them. The only way to actually force things to get fixed was to expose the information.

Given what Mudge had accomplished at the L0pht, Misha Kubecka and Dan MacMillan lobbied Kevin to bring Mudge into cDc as well in 1996. “Mudge is someone to be reckoned with, and it’s a good idea to have him in our camp,” Misha wrote to the group mailing list. The others had the impression that, among his other qualifications, Mudge had hacked other security luminaries. But Mudge generally let people think he did more hands-on hacking than he did. At BBN, he had free rein over everything that company supported, including military and financial systems. That made random break-ins elsewhere less tempting. Once, a leading security figure came to the L0pht, and Mudge asked him why the White House email-monitoring system the visitor had built had been configured in a certain way. Mid-answer, the guest realized that Mudge had to have been inside that system to know enough to ask the question, and he said as much. Others present assumed that Mudge had hacked the White House, though actually he had been authorized to examine the design on behalf of BBN.

At the L0pht, Mudge also acted as a defender. He did install a back door on the Unix servers to make sure they weren’t misused, or at least not much, by guests. But outside his home turf, different rules applied. Mudge wrote exploits and gave them away to defenders and attackers alike. “I would give certain teams, groups, and people early access to some of my software and tools. Sometimes tools that were a bit too powerful and purpose-built for me to release them publicly,” Mudge said. Sometimes, those attackers would give him back tribute, including priceless code for major operating systems. Mudge did not ask for those goods or trade for them, and though in theory he could still have been charged with receiving stolen goods, he was not.

“The bartering system back then for actual hackers and folk were these tarballs of proprietary source code, personal or private information. New tools were sometimes viewed as more valuable, so I was looked at as a real heavyweight,” Mudge said. “It was important for me to be viewed as sharing with the community, because I believed in it. And yes, there are parts of the community that were obviously doing illegal things. That wasn’t my focus, nor my goal. I wanted to inspire more people to release novel tools and applied research so we could understand and fix the cyberworld that was being erected around us.”

Though there was enthusiasm for Mudge from the Bostonians, Jesse, and others, Kevin had final say over all new members, and it was going to be awkward because John Lester was already a member. But Mudge would cement the group’s transformation from self-publishing pranksters to actual authorities on security. Kevin made the deal.

Mudge got something from the marriage as well. He wanted to “make a dent in the universe,” he said. A hacker’s hacker, he wanted to tear things apart and find out how things really functioned, then either explain them or, if possible, put them back together better than they had been. He applied the same mind-set to other aspects of the world—the computer industry as a whole, politics, and the media. The mainstream media was evolving as the web gave so many others a voice, but it was still a dominant and mysterious force in the world. How did it decide what was true, and which truths were more important? How did other factors come into play, like the sex appeal of a story, potential audience size, and the pursuit of the greater good?

cDc had been moving into a phase of “culture jamming,” playing with the media, as the group became better known. Mysterious criminals messing with not just strangers’ home computers but NORAD’s mainframe made for great copy, and cDc had decided to help explain things, at whatever level the reporter was at. If reporters asked serious questions, they would get serious answers. If a clueless TV correspondent just wanted to hype something as scary, cDc would accommodate that too. The group realized that coverage led to more coverage, especially when so many knew so little about computers. “In the right vacuum a group like cDc can flourish. That’s their talent,” said the Works founder Jason Sadofsky. Kevin, the self-described hype man, had been thinking about the distribution of text files when most people were not. Now there were cameras showing up, and cDc had some credibility, and they ran to the cameras, Sadofsky said: “Here we are! We’re hackers!”

Mudge saw a chance to learn. “The experiment was, how easy is it to manipulate the press and the media, and this is actually fairly relevant right now,” Mudge said in 2018. “If we say something, will it actually be repeated? They would jam information to see how far out it would go. I thought it was fascinating. It made me look at the media in a different way. I started to understand the incentive structures and the restraints on resources.” Mudge took what he learned and applied it back at the L0pht, which shared some members with cDc and was working on similar problems, but which was treated more respectfully by reporters and TV crews. He got to play both good cop and bad cop in the security world.

Though the arrival of the ubiquitous web in 1995 killed off most bulletin boards, cDc managed the transition because of its expanding cast of actual security experts and its physical base at the L0pht. Just surviving was half the battle. Once it did that, cDc’s history made people turn to it when they wanted to know where internet culture was coming from, what the web meant, and how secure it all was. Those who stumbled onto cDc then touted it to others. It was a real resource, but it was also an inside joke turned pro.

The media, of course, were hardest-pressed to explain the web, and they came early and often. When they searched, pre-Google, for news about hackers, they would find Luke Benfey’s 1994 Dateline interview or Geraldo’s “Computer Vice” episode, which somehow linked up everything bad and trashy, from serial killer Jeffrey Dahmer having a modem to the 1988 cDc text file “Sex with Satan.” Geraldo called cDc “a bunch of sickos.” cDc itself touted that and all the other media notices, realizing that journalists would play it safe by calling the same sources that had already been broadcast.

Insiders like Boing Boing zine editor Mark Frauenfelder promoted cDc, and the reasonably well-researched 1995 movie Hackers, with Angelina Jolie, showed cDc stickers in the background. Some of the time, the media’s vague awareness that cDc was about hacking, which was bad, led to bizarre pronouncements. A 1996 story in the San Antonio Express-News about the local air force cyberoperations center, for example, hilariously led with the assertion that the unit “defends the nation’s secrets from the members of the Legion of Doom and the Cult of the Dead Cow in a battlefield that spans the globe.”

Midwesterner Paul Leonard announced an explicit cDc culture-jamming project called cDc Paramedia in August 1996, with the object of “world domination through media saturation.” Misha, Kevin, and Luke were enthusiasts of the effort, Luke adopting the title minister of propaganda. Two weeks after the Paramedia announcement, the group wrote: “We intend to dominate and subvert the media wherever possible. Information is a virus. And we intend to infect all of you.” Misha cheerfully wrote on the group’s site, “We’re a neo-Marxist, anarcho-socialist guerrilla unit forged for the sole purpose of getting on TV.” The group considered what it was doing to be performance art. Back then, the truth didn’t seem as endangered as it does now, so muddying the waters for a cause struck them as ethically acceptable. “It’s one thing if you have a state sponsor of disinformation and propaganda that is trying to affect a particular political outcome, versus trying to raise consciousness of some issue that might not break through otherwise,” said one member of cDc. “The circumstances matter.”

At the time, the group considered getting rid of its old bomb-making recipes out of a sense of social responsibility. But Kevin voted with the majority against burying evidence of the “Anarchy period of the Cyberpunk’s progress,” as he termed it in a group email. Instead, he suggested adding a disclaimer that would say in part: “If you’re smart enough to use a computer and seek out the cDc, then you should be smart enough not to screw around with something like a bomb recipe that is full of spelling and grammatical errors. If the author can’t spell or punctuate properly, what the fuck makes you think he can describe how to build a bomb that won’t kill you?”

cDc became the first hacker group to issue press releases, and Misha compiled a list of email addresses for hundreds of journalists. Whimsically, Luke took advantage of improper access to various databases and sent printouts to an idiosyncratic list of celebrities as well, including Sean Connery, Harrison Ford, Uma Thurman, and Luke’s favorite person, the muscled and campy A-Team star known as Mr. T. Meanwhile, the group remained shadowy, using only handles in its communications and public speeches.

cDc’s open pursuit of attention struck many hackers as refreshingly candid at a time when other hackers were posing as criminal geniuses or visionaries. They were high-functioning tricksters, the media and their audiences the most common victims. A crowning achievement came after a Japanese television reporter complained that her producers had rejected her thoughtful piece on hackerdom because it lacked excitement. Wearing masks or sunglasses and trying to look scary, Luke and two others agreed to be interviewed on camera telling tall tales. They claimed to be able to divert both moving trains and satellites. “They were the showmen of the industry,” Def Con founder Jeff Moss said of cDc. “They were great at taking an issue and calling attention to it.” As for truth-telling, Luke saw as his model the Yes Men, politically driven artists who say they use “public spectacle to affect the public debate.”

As the Netscape browser and Microsoft’s Windows 95 operating system brought the internet to the masses, the security issues that had previously been glaring to hackers suddenly put everyone at risk. The L0pht might flag a few flaws out of thousands that experts could find at any time. But word of even those rarely reached the average computer user. Television commercials funded with venture capital and Microsoft’s monopoly profits hyped the amazing online world. But no one had a strong financial incentive to point out the pitfalls. Almost none in the mainstream media covered security full-time, and those who dabbled were under pressure to write about the great advances in computing, which public-relations people also pushed, not the complicated potential problems that their editors couldn’t quite grasp. While cDc played with the media’s gullibility, it was learning more about how it worked. The group was probing the press the same way it poked at software, and it gradually realized that the greatest threat to security was the poor distribution of true information.

The best place for cDc to start fixing that was at Def Con in Las Vegas. Luke spoke at the third Def Con, in 1995, giving a miniature course in media training. He retold the Dateline story, explaining that the correspondent had badgered him over whether he felt remorse and that he had learned a lot from the experience. For the most part, “the media sucks,” he warned. “You very rarely see a positive or even accurate view of hackers through the media.” Luke advocated sounding out journalists on their angles and declaring what was off-limits. But engaging with serious ones could be worthwhile, he believed, because hackers were in the best position to speak through the media and tell people how to protect themselves and when companies were shipping software full of holes. Public voices were crucial for their kind as well as for consumers, because politicians were weighing laws and enforcement choices that would decide whether hackers would have to stop exploring or face jail.

Luke’s talk at the 1995 Def Con and other media appearances made him a bit of a celebrity among hackers, which made it easy to meet new people, many of whom wanted to join cDc. But cDc didn’t want to be just a social club. That’s where cDc’s Ninja Strike Force came in. Sam Anthony had dreamed up the idea after taking kung fu classes and was the first leader of the auxiliary group. “Terrible people were interested in joining cDc,” Anthony said. cDc wanted to stay small, like the best invite-only bulletin boards. The compromise was keeping cDc elite but expanding through the NSF. So Sam cribbed from a sneaker design, wrote a satiric origin story, and made T-shirts. Early members were people the group liked and respected, including Chris Wysopal, Window Snyder, pioneer maker Limor Fried, and early Apple and Netscape engineer Tom Dell, who had written software for Mindvox and quietly ran Rotten.com, forerunner of the shock website 4chan.

That year’s Def Con had drawn a then-record three hundred people, and at three hundred pounds, Luke was hard to miss. Oakland hacker Josh Buchbinder, who knew him only online, first spotted him in the flesh on the casino floor, holding a teenager upside down by his ankles and shaking him until the coins fell out of his pocket. The kid was so excited that after Luke let him down, he ran away squealing. Someone explained to Josh that it was considered a great honor to be shaken down by Deth Vegetable. That night, Josh joined Luke and his friends to go off into the desert, take drugs, and shoot guns all night, Hunter S. Thompson–style. In a minor miracle, no one was hurt.

Josh stayed in touch with cDc members over the next two years as his skills improved, and in 1997, Dan MacMillan sponsored him for admission to cDc as Sir Dystic. Josh was attending junior college by then after dropping out of high school. He felt behind the curve technologically, since his Bay Area friends were all playing around with Linux, the breakthrough free and open-source operating system that was challenging Microsoft inside big-company server rooms. When Microsoft came out with versions of Windows that could handle internet connections, Josh poked at it. Though his friends thought Windows so inferior as to be uninteresting, Josh figured that enough regular people would end up using it that any research would be worthwhile. What he saw was horrifying. There was essentially no security at all. Anyone who used a Windows machine to read email or browse the web could easily lose control of his or her machine to a stranger. Just about any kind of software would run on the system, and it could be made invisible to the user by those who knew what they were doing. All a user had to do to be infected was click on a file with an innocuous name.

Josh was far from alone in raising the alarm at Microsoft’s head-in-the-sand approach. Chris Tucker sent a draft of a rant to the cDc mailing list in 1997, declaring “Microsoft is evil because they sell crap” that only has a chance of getting fixed in a future version if enough people call Microsoft to complain. “You stupid fucks pay Bill Gates to beta test his crappy software,” Chris wrote. The problem was compounded because Microsoft sold to a handful of computer makers, not the end users, and Microsoft held all the power in those relationships.

Josh knew he could write a program that would prove the point, that would give invisible control to an email correspondent or anyone else who could establish a connection. He could use such a tool himself, to spy or to steal. But that would break the 1986 hacking law while not being all that much fun. Releasing it into the wild, on the other hand—with as much fanfare as possible—would force Microsoft to admit it had a problem and do something to protect its customers. As it stood, selling Windows 95 and 98 “was like giving loaded guns to children,” Josh said. “My point was if we can do this, anybody can. They needed to take this seriously.” Plus, with the help from the media, it would be damn funny to watch.

He emailed the cDc list and asked what the other members thought of the idea. Carrie Campbell was opposed to it. She had moved from technical writing to running an internet access provider and now lived near Microsoft’s main campus, where she had many friends. Beyond that, she knew that the program would give new power to thousands of relatively unskilled “script kiddies.” She saw the public-service argument; she just felt the likely side effects outweighed it. “It’s going to hurt average people,” Carrie told them. But she was in the minority. The others gave Josh all the encouragement he needed. Just to make sure he wouldn’t get slapped in handcuffs simply for writing a malicious program, Josh picked up the phone and called the local FBI office. He asked for an agent in the criminal division. “Would I be in trouble if I released a program that others could use to hack people?” he asked. “You’ll have to ask a lawyer that,” the agent responded. Josh would not be deterred. “No, you’re the FBI,” he said. “Would you arrest someone who did that or not?” The agent asked him to hang on. After a while, he picked up the line again. “We would really rather you not do this,” he told the hacker, but it’s not technically illegal.” Josh checked one last time to be sure: “So, I’m good?” he asked. “You’re good,” the agent sighed.

Then came the hard work: more than a year of prodding for undocumented programming interfaces, the hooks that allowed programs to run on top of Windows. Josh had never written anything remotely that ambitious. But he knew it was possible, he thought Microsoft’s security bordered on the criminally incompetent, and he wanted to impress Mudge and his other new friends in cDc. He smoked a prodigious amount of marijuana and kept hammering away through trial and error.

By 1998, Josh was getting a fair amount of encouragement in person. Misha had moved to San Francisco in 1992 and had bragged about it to Luke and the others back east at every opportunity. One of Misha’s first contacts was the editor of a magazine called Mondo 2000, who reprinted his Information America piece and introduced him to her boyfriend, Eric Hughes, who was about to start the Cypherpunks mailing list, hosted by John Gilmore. Misha spread the word among hackers. The dot-com boom that began with Netscape’s initial public offering in 1995 lured more waves of cDc members and friends to California. Dylan Shea took a job at the Mountain View headquarters of Netscape itself in 1996, and when the company offered to pay for his move, he brought out Luke’s gear as well. Luke re-created the nonresident part of his Allston hacker group home, New Hack City, in San Francisco, turning cDc into a bicoastal operation. First came a hacker space in an old can factory on the border of Dogpatch, a run-down bit of the city. Then came a spot at Market Street and Sixth Street so rough that Luke once caught a woman hiding behind his bulk to smoke crack on the sidewalk. The label on the apartment directory said Setec Astronomy, a nod to the hacker movie Sneakers and an anagram for “too many secrets.” At one open house, someone not in on the joke asked why astronomers would be in a basement apartment.

cDc believed that Microsoft’s response to Josh’s program would be directly proportional to the amount of noise it made. So with its greater understanding of the media, cDc wasted no time in building interest in what it had dubbed Back Orifice, a crude pun on Microsoft’s BackOffice software. It explained in writing what the program could do well ahead of the actual release, which was planned for the biggest Def Con yet, in 1998. It was up to the hacker how to install the program on a target machine, but it could be combined with any desired executable program, like a word processor or calculator, and emailed to the intended victim. Luke’s press release called out features that could log keystrokes on the target computer and encrypt traffic to the hacker who had sent the program. Other software writers could add modules for still more functions. cDc did not advertise the fact that it had taken mercy on Microsoft and the young antivirus industry by setting the default port for inbound traffic as 31337—hacker-speak for eleet: that is, “elite.” All anyone had to do to stop off-the-shelf installations by noncoders was block traffic to that port.

Luke coordinated major stories with Wired and other publications while Kevin and others concentrated on making the Def Con presentation as theatrical as possible. During the Saturday afternoon peak of the three-day con, Kevin and Dylan invented some last-minute gimmicks just before the start of the 4:15 p.m. panel. As Sir Dystic, Josh then went onstage and droned a few boring sentences. A planted heckler, yelling that Back Orifice was a hoax, ran to the stage and grabbed the mic. Luke charged at the man and hoisted him offstage. Then the rest of the cDc crew rushed on. Bringing up the rear was Kevin, with a T-shirt reading GRANDMASTER RATTE, a thick chain around his neck, and white rabbit fur chaps over his jeans. He jumped on the table and started rapping about cDc.

“I can feel the love in the room!” he shouted. “We love our people!” Then he whipped the crowd into a call-and-response: “When I say Dead, you say Cow! Dead!” “Cow!” Kevin handed the mic to Sam Anthony, who sounded calmer. But Sam wore a stocking hat pulled over his face showing a cow skull, and he was explicit about asking the recipients of Back Orifice to hack, and to hack for a cause. “We want you to give back to cDc,” he explained. “We are making it so easy that an eight-year-old can make a difference—can fuck shit up.” After Carrie said a few words, Josh took over and ran through the functions, drawing applause when he showed it popping up a Windows dialog box with wording of his choice. He took questions, and at the end the group threw CDs with the program to the crowd. Afterward, Josh did his preapproved interviews with Businessweek, CNN, NPR, and the BBC, all of whom were stunned that he wouldn’t give his real name. USA Today and dozens of others ran stories in the next day and a half. The New York Times, which had already mentioned cDc in a broader Def Con piece, returned with an article on Back Orifice alone, noting in the second paragraph that cDc said it was trying to get Microsoft to focus on security. It also outed Josh as Sir Dystic.

Nothing like this had ever happened before. At the then height of public concern about hacking, at the top conference on the subject, the best-known hacking group had given out a major tool for free. At least in the short term, it certainly seemed like there was going to be much more hacking as a result. “They pulled this joke off on the most dominant commercial force in the world,” said Jason Sadofsky. “They wanted to get on TV, and they got on TV.”

Yet instead of sounding the alarm or calling for a renewed joint effort to stop hacking or make software safer, Microsoft gave the public impression that it had barely noticed what happened in Las Vegas. “This is not a tool we should take seriously, or our customers should take seriously,” Microsoft marketer Edmund Muth told the New York Times. The company argued that there were no new vulnerabilities involved in Back Orifice. But that claim was aimed at the uneducated and the media. If Back Orifice had relied on newly discovered holes in Windows or other Microsoft software, the company would have patched them in an update, and the exposure would have been confined to those who did not patch. Instead, the issue was the essential architecture of Windows.

The contrast between what Microsoft was saying and what the more articulate hackers were saying was jarring, and it forced many people to think harder about serious issues for the first time. While “Microsoft is fully buzzword-compliant,” Mudge told one interviewer, it only recently had established a security response team and came off to technical people like the town drunk: “It’s almost unfair to continually beat up on them, because they can’t really defend themselves.”

Within months, people had downloaded Back Orifice hundreds of thousands of times just from the cDc website, with an unknown number of pirated versions circulating as well. Many thousands of innocent people fell victim. After internet service provider MindSpring complained that it was detecting at least two new infections of its customers each day, the local Atlanta field office of the FBI opened a criminal hacking conspiracy investigation into cDc and Luke personally, centered on the theory that infected machines were sending stolen data back to servers under cDc control. Because they were doing no such thing, the case sputtered before its formal closure in 2003. Hackers were also among the victims. If they popped a CD with the program into their machines, then read the instructions, they could safely download the virus and begin thinking about sending it to a victim—unless they had set up their machines to automatically play any CD inserted, in which case they immediately infected themselves.

Both fan and hate mail flowed into cDc. One supportive message came from porn star Brandy Alexandre, who said someone had hacked an adult film–industry journalist who used the pen name Luke Ford and deleted files. “Glory be to the dead cow on high!” she emailed, explaining that Ford punished stars by revealing their legal names. “I am your slave if you should happen to repeatedly attack his real names list,” she wrote. “What may I do in return, master?” cDc got fan mail from the mothers of teenagers, an NSA staffer, British writer Neil Gaiman, and an actor from The Texas Chainsaw Massacre 2. But it wasn’t all roses—Josh also got anonymous death threats.

Inside Microsoft, Back Orifice became the company’s biggest security headache by far. When the press realized that Back Orifice was big and that the company had no defense, Microsoft came back with a new message: while there was still nothing to worry about, those who were absolutely convinced that they needed the very best security could buy Microsoft’s forthcoming, completely reengineered operating system designed for networked machines, Windows NT. That system, Microsoft said, offered “a comprehensive set of security features that make it the best choice for business users’ mission-critical applications.”

For all of the planning that had gone into Back Orifice, the group was shocked by how big it blew up. A much larger number of people now saw that hacking was a clear and present danger, which was great. But Microsoft’s bogus response was still holding the line inside most of its big customers. The businesses had no right to sue over software, since the event when a program changes hands was not classified by the courts as a sale. Well-funded industry lawyers had convinced multiple judges that the electronic terms of service that ended with clicks on “I agree” were for licensing deals. There was no liability for a faulty product, under the law, because there had been no sale; the only remedy was to cancel the license, and that was a dead end. Though Linux was fine for heavy loads, there were few alternatives to Word and Excel for regular office workers.

The more time that went by, the angrier cDc members got. Even Carrie, who hadn’t initially supported Back Orifice, agreed it was ridiculous that Microsoft still had its head in the sand after being shown its vulnerabilities. cDc turned to one of its newest and smartest members, Christien Rioux, to take on Windows NT and prove that the group was not a one-hit wonder that had been steamrolled by Microsoft’s marketing department. This time, Carrie was all for it.

“They were like the dog that caught a car. They could have stopped,” Sadofsky said. “But somehow they got in and drove the car and said, ‘Let’s see where this goes.’”