Book Review: cDc The Long Version
I wrote this long version a year ago after I posted the short version of my review of “Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World” by Joseph Menn and I received fair bit of criticism from some cDc members. I was called a troll, a self righteous prick, an asshole and other choice names. As a result I felt it was necessary to detail my many issues with the book. So, here is the long version.
Books can be funny things. Anyone can write one. The author can put into it whatever they want, and yet once it is written down into a book the information takes on an authoritative tone. People assume that once it is in a book it must be true, and discrediting something that has been published in a book can become extremely difficult and time consuming. Even with that effort, what was written may become commonly accepted as “fact” or lore.
Some books deserve to be held aloft and pointed to as an example of factual correctness. These books are valuable resources. Other books take liberties with the facts, or present alternate truths. This is especially true of books that rely on people’s memories with little corroborating evidence to back it up. Memories fade and events are remembered differently by different people. Worse, storytelling and a “collective memory” can change over time like the classic kid’s game “Telephone”.
In Joseph Menn’s book “Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World”, I remember the events described a bit differently. I feel it is important that the differences between my own personal memory and Menn’s depiction be documented somewhere. Letting the book stand as is without challenge would be a disservice to future researchers. My own memory is not infallible and it too may be inaccurate, but I feel it is important that alternate viewpoints be presented. I have already detailed some of my objections to Menn’s book in a book review posted to my blog. However, the inaccuracies go much deeper and the perceived authoritativeness of Menn’s book seems to be increasing.
The actual ground truth of course lies somewhere in the middle. Perhaps I can put my own recollections into a more authoritative book someday, but until then this document will have to suffice.
Menn’s overall premise that Cult of the Dead Cow was a ‘Hacking Supergroup’ does not fit with the perception of cDc by non-members at the time. Menn actually mentions this several times in the book such as when he calls the cDc a ‘performance art group’ (page 2), the ‘liberal arts section of the computer underground’ (12), ‘the arts wing of the hacking community’ (21), ‘successor to the Merry Pranksters’ (23), ‘more of a social space’ (25), and ‘they were an enormous inside joke for hackers’ (47). These descriptions do not equal ‘hacking supergroup’ unless you have an extremely liberal definition of the word hacking. Hacker groups such as Legion of Doom (LoD), Masters of Deception (MoD), the 414s and many others who also existed in the same time frame would be a much better fit for the moniker of ‘hacking supergroup’.
On page ‘xi’ just prior to Chapter 1, Menn lists out what he calls ‘The Players’ but conspicuously does not list several members of the cDc itself. While I understand that Menn seems to only want to list the people that he feels are important to his story, he does not make that clear, so the impression is that there were only 2 members of Legion of Doom, only two members of masters of Deception, and that a related group, the cDc Ninja Strike Force only had three members. Menn seems to cherry pick his facts throughout the book, only choosing to include those things that won’t interrupt his narrative despite there being a significant number of other people and events that should be included to help shape and give background to the story he is trying to tell.
One of the things I found extremely confusing throughout the book was Menn’s interchanging of labels for the main characters. In some cases he refers to people by last name, in some by first name, and others only by their handle. In some places he does all three in the same sentence (45). This makes trying to keep track of who’s who in the book more difficult than it should be.
On page 2, Menn claims that cDc invented the word hactivism, something they have claimed for a long time, and completely ignores research into the origin of that word and instead leaves that small mention as a footnote (215) in the back of the book where it is unlikely to be seen by the casual reader or the audiobook listener. When an author perpetuates a claim that has essentially been debunked, it forces the question about the authors objectivity.
The hacker group L0pht Heavy Industries is described on page 3 as “Mudge’s squad”, somehow inferring that he was the leader or that The L0pht belonged to Mudge. This inference is done is several places throughout the book. This confusion isn’t limited to Menn either as it appears in other publications as well. Mudge may have seen himself as the leader but the rest of us, or at least I, did not. Perhaps I was being naïve; I definitely considered Mudge our public face, or front man, but definitely not our leader. We had weekly meetings which where run by Brian Oblivion a founding member, and we voted on important topics as a group. The inference that Mudge somehow dictated what the group did and determined its course is inaccurate. This is a side of the story possibly being pushed by Mudge himself, as I am sure his memory of events differs from mine.
On page 25, Menn clearly describes what many of us know as Operation SunDevil, the 1990 nationwide US Secret Service crackdown on “illegal computer hacking activities.” It involved raids in approximately fifteen different cities and resulted in at least three arrests, the confiscation of computers, and the shutdown of several BBSs. While Menn does mention this event he fails to name it, not even in a footnote, doing a disservice to the reader who may want to further research this event. Menn also contradicts his own title here calling the cDc ‘more of a social space, a refuge for hackers blowing off steam, than a place to plot actual hacks that ran afoul of the law’ (25) which seems to indicate the cDc wasn’t a ‘Hacking Supergroup’ as indicated in the books title by any definition.
One of the cDc’s preeminent text files, #200 titled “The cDc #200 Higgledy-Piggledy-Big-Fat-Henacious-Mega-Mackadocious You-Can’t-Even-Come-Close-So-Jump-Back-K-B00MIDY-B00MIDY-B00M File”, is briefly mentioned on page 32 and yet no mention of DemonSeed Elite (mentioned 10 times in that file). This is a part of the cDc mythology that has seemingly escaped the cDc collective memory itself, and if the file is going to be mentioned at all, and that it included monster trucks… how can you then not also include the name of the monster truck? Especially when the name is as cool as DemonSeed Elite? A reference to an obscure 1977 horror film ‘Demon Seed’ about a self-aware psychotic computer that impregnates a woman with its demon seed.
You really can’t write about the cDc without also writing about the L0pht. Four cDc members have connections to the L0pht including two of its founders, Count Zero and White Knight. However, it is important to remember that the two groups were separate distinct entities. Menn does state that there “were important differences between cDc and the L0pht” (41) and then pretty much proceeds to blur the lines between the two organizations. Going so far as to call L0pht the cDc ‘physical base’ (59). Just like you might be a member of your local volunteer fire department but you also happen to work as a police officer does not mean that the fire house is also a police station.
The appearance of Deth Veggie on NBC News Dateline (48) is treated as if it went exactly as the cDc planned. It did not. Myself and others at the L0pht told Deth Veggie and the rest in the hacker house they lived in called Messiah Village that appearing on Dateline like this was a bad idea. I personally tried to warn Deth Veggie that no matter what he would not come out looking like a hero or defender of free speech. He either didn’t listen or decided the lure of the national broadcast TV was too strong. Menn describes this as Deth Veggie wanting to “have a broader debate” (49); I saw it as someone blinded by the TV camera lights instead. That Dateline episode is painful to watch, even today, as Deth Veggie just comes off as a punk kid acting irresponsible.
At the bottom of page 49, Menn mentions New Hack City, the name of a house shared by a group of Boston hackers, mostly refugees if you will from two other hacker houses, one named Messiah Village and the other Hell House. But Menn fails to mention where the name New Hack City comes from, which was a play on the 1991 movie ‘New Jack City’, which was used as the title for a magazine article in Esquire. Unfortunately I can’t find the source now, but I am sure while interviewing cDc members Menn must have asked where the name came from, especially seeing as how it was so close to ‘New Jack City’.
Menn mentions on page 50 that Window Snyder had ‘took off’ from New Hack City but fails to mention who it was she took off with. Menn alludes to this person in several other places in the book but fails to mention that it was GHeap aka Garbage Heap aka Dave Goldsmith. Possibly because Dave doesn’t want to be identified but if that was the case Menn should have said so and not even mentioned his presence.
‘Mudge’s list of aliases ran for ten pages’ (54) this is obviously hyperbole but Menn just lets it sit there on the page with no challenge. He does mention that Mudge ‘does at times exaggerate’ but leaves that as a footnote way in the back of the book. A footnote that will be unread by most readers and not heard at all by audiobook listeners. This seems like an important note that should possibly be in the main text of the book and not relegated to the back pages. This is apparent later on page 57 where Menn mentions that Mudge ‘let people think that he did more hands-on hacking than he did.’
While this is not supposed to be a L0pht book there are a lot of the pages devoted to L0pht. Which is fine but if you are going to take the time to write about a separate organization and devote a considerable number of words to the topic I would think the author would flush out the major parts of the story and not compress significant events into a few words like ‘moving to a bigger space’(55) or ‘newly incorporated’ (56). Menn compresses the entire disclosure debate which has been raging inside infosec circles for decades into a few paragraphs on page 57 and 75.
On page 57 Menn mentions a ‘leading security figure’ like it is some big secret, why not just say Marcus Ranum?
I also take exception to the fact that Menn calls the 1995 movie Hackers ‘reasonably well researched’ (60). That movie was a farce, a joke, a play on words, and was anything but realistic, calling it ‘reasonably well researched’ indicates that you have absolutely no idea what was actually going on at the time. Or that you were being successfully trolled, again, by your interview subjects who told you it was an accurate depiction.
Menn claims that cDc had ‘taken mercy’ (66) on Microsoft by setting the default port of Back Orifice to 31337 which in my memory had nothing to do with Microsoft. Back Orifice had to have an open port, it could have been anything, obviously they were going to choose the ‘elite’ port. 31337 is often used in ‘leet speak’ to reference the word elite. On page 68 Menn labels Back Orifice as a virus, which is far from accurate in the technical and literal sense. A virus has self replicating code, it can make copies of itself, BO can not. cDc referred to BO as a remote administration tool, they fought against its inclusion in Anti-Virus software. Menn calling it a virus, with all the negative connotations that brings seems, to fly directly in the face of Menn’s underlying thesis and shows his lack of understanding of the subject matter he is writing about.
Somehow Menn comes up with a $500,000 figure (73) for the income of L0phtCrack, the L0pht’s password auditing tool. It never made anywhere near that much. Unfortunately Menn never bothered to verify this figure with anyone and after speaking with the people Menn interviewed who might have given him this figure I was able to trace it to one uncorroborated source. The command line version of L0phtCrack was given away for free, if you wanted the GUI you had to pay, and the early version only cost $50 a seat. By version 2.4 that amount had increased to $150. $500K would have been quite a few copies of L0phtCrack. If we were making that kind of dough L0pht probably would not have needed to sell to @Stake later on.
I take exception to Menn’s inference on page 77 that I and other members of the L0pht were unclean.
The Hong Kong Blondes are finally revealed as the joke they are on page 88 but Menn just brushes by that revelation and continues writing the HKB story as if they are real and actually existed. Considering how much media attention the HKBs received at the time not calling out that the entire story was made up in stronger terms is a disservice to the reader and to history.
While the joint statement against the declaration of war by the Legions of Underground is mentioned, it is credited as being the brain child of cDc. Being the editor of the Hacker News Network I was directly involved in this event. I sat in on the LoU chat room and captured their logs. It was the Chaos Computer Club that drafted the statement and then sought other groups to sign on. L0pht was particularly reluctant to be a signatory and only after I wrote a passionate email to the rest of the L0pht did they agree. Considering how nicely this incident fits into Menn’s overall narrative of morality and ethics I am surprised that it did not get more coverage in the book, perhaps because it shows cDc as only one group among many who all shared the same morals which would reduce the overall impact of cDc? I don’t know.
There is an entire chapter of @Stake, I won’t go through and nitpick everything in this chapter because I honestly don’t understand why it is even in the book. The connection between @Stake and cDc is even weaker than that of L0pht and cDc. Suffice it to say that this chapter in my copy of the book is filled with notes and highlights of inaccuracies. Someone will need to write the story of @Stake, I was only there for a short time so it won’t be me, but it is a story that I hope gets told, accurately, some day. Menn’s portrayal is not it.
As for the chapter on Tor and Citizen Lab I see the connection between it and cDc also as very thin. I can not speak as to the accuracy of this chapter as I wasn’t involved at all but based on the lack of accuracy in the rest of the book I can only assume that the same continues here. The same for Jabob Applebaum, or ioerror, yes he was a member of cDc but most of his actions happened outside of cDc. His public expulsion from the group is a necessary bit to include but I’m not sure the rest of the chapter is worth mentioning.
While Menn chose to include things that are only questionably related to cDc he also chose to exclude things that the group was very closely involved with. Menn does not mention that cDc was directly responsible for the Good Times Virus hoax https://en.wikipedia.org/wiki/Goodtimes_virus, he does not mention the time that the cDc, a ‘hacking supergroup’, was itself hacked by a group know as zF0 http://web.textfiles.com/ezines/ZF0/zf03.txt. Absent is the cDc’s own declaration of war against the Church of Scientology https://www.cultdeadcow.com/news/scientology.txt directly contradicting the groups signature on the condemnation of LoU for the same thing. The fact that cDc tried to purge some of its own writing in later years is missing. There is little to no mention of the groups very large physical migration from the East to West Coasts.
There are entire chapters about Back Orifice and BO2K but no mention of the competing software titles available at the time such as Sub7 and Netbus which had the exact same capabilities as BO but not the flashy release on stage at Defcon. Which one was more widely used? Which one exerted more pressure on Microsoft? Menn writes that it was all because of Back Orifice and fails to mention the contributions of other remote access tools available at the time.
Menn doesn’t even mention several cDc members or Ninja Strike Force members. In a book attempting to document the groups influence it would seem important to at least mention the groups membership, especially doing such a deep dive on so few of them.
Menn has painted an interesting story of morality and ethics during a tumultuous period and it makes for a great read. But it is just that, a story. There are too many inaccuracies and left out facts to call it anything else. Perhaps I am nitpicking, perhaps such varnishing of facts by an author is normal. My hope is that enough other people who were there and present for these events write down their experiences somewhere. It would be a shame if this was the only version of this history to survive.