BBC Panorama Interview with Deth Veggie and Sir Dystic of the Cult of the Dead Cow CORBIN Deth Veggie, what is the Cult of the Dead Cow? DETH VEGGIE The Cult of the Dead Cow started out back in the early 80s as initially the republished text files. Actually the first e-zines as now they're called, and although we were involved with the computer underground we weren't the same as other hackers. It sort of evolved to the point where it is today where it's still today our primary focus isn't necessarily technical. We have a lot of like social aims, social activity, but we also have.. there's the technical aspect. CORBIN What's the philosophy of Cult of the Dead Cow? DETH VEGGIE Well one of our primary functions is, is we try to bring information to people that they normally wouldn't ever see from other channels. We publish a lot of text files, a lot of them are not at all technical but not anything that you're likely to find from other sources. We basically like to challenge people's thought ideas and make them think in new ways. CORBIN And hacking, what's the appeal? DETH VEGGIE well I mean if you consider hacking to be the manipulation of a system to make it do something, you know, basically you can hack anything. It doesn't have to apply specifically to computers. You can hack electronics, media, information, there's social hacking, and basically it's a certain amount of power. I mean you can make something do something that it wasn't intended to do. CORBIN And that's the appeal of it? DETH VEGGIE It's certainly part of the appeal. It's the modern exploration you know. SIR DYSTIC I think for me I consider a hacker to be anyone who takes something apart and puts it back together better, and currently it seems like the output, the aspect that it takes is computer hacking but historically there's always been people with that sort of mindset or attitude, we can start like people who I consider to be of the hacker mindset like Benjamin Franklin or Aristotle, people like that, you know, they basically did things their own way. CORBIN Okay, you've obviously explained that hacking can apply to different fields and not just computers, but obviously computers is what we're talking about here today, and Sir Dystic you know when you go on line, when you hack, for want of a better word, that's the word we're using, what do you feel? I mean what do you get out of it? What's the appeal of it? SIR DYSTIC Well like I said, it's a form of exploration. You're trying to, you know, you're exploring ideas or computer systems rather than you know, geographical land, but it's still the idea of being able to go into something and find new things that nobody else has discovered yet before in the sense of hacking being breaking into computers certainly a lot of people do it because they're going into places that they wouldn't normally be allowed. CORBIN And the world at large finds it frightening the idea of people hacking into their systems? SIR DYSTIC People are frightened by pretty much anybody who can do something that they can't and they don't understand. DETH VEGGIE I also think that it's important to see that the danger isn't from hackers in terms of kids. The danger in terms of computer security are from aspects like organised crime or espionage, things like that. The danger is not from hackers like Sir Dystic or myself, or even just other kids out there. CORBIN You showed the way? DETH VEGGIE The way was already out there. The people already were aware of it. Another thing about hackers is that they don't create the whole, security holes, they basically just find them and exploit them. SIR DYSTIC Discover them. They discover them. CORBIN So would you disclaim all responsibility that you put your tools out there and let people use them? SIR DYSTIC People use our tools for all sorts of things and I mean people can use any product in the way it's not prescribed and that in many cases is illegal and certainly using a programme like Back Orifice to break into a computer would be illegal, but in truth it's really not even a programme to break into computers, it's really once a computer has been compromised it allows you to control that computer completely. CORBIN Well let's talk about Back Orifice. Sir Dystic why did you write this programme Back Orifice? SIR DYSTIC That work it essentially came out of.. it was a small simple tool I was writing and then when I realised the possibilities of how far it could be taken, I basically just added every feature to it I could think of and we tried to point out to the world that this really one of the easiest ways that your computer can be compromised and when that happens there's basically no limit to what a remote attacker can do. All it takes is basically coating it, and what I was trying to show is that it really doesn't even take all that much effort to code that and it's a very small, simple programme and it works very efficiently. CORBIN So you're saying you wrote it to show up the faults in the system. SIR DYSTIC Sure. I mean my main issue at the time was with Windows 95 which was essentially released without any security built into it. It had very, very, minimal security and that was a marketing decision by Microsoft, they wanted to have as many people be able to use it as possible. But by sacrificing security it's no longer a secure platform. It's certainly not anything that people should be doing things like online commerce and online banking from but they are marketing it for that purpose. CORBIN But they would say that the fact you wrote this software is very malicious to show up the faults in the thing. SIR DYSTIC It's malicious to for instance show that there's a faulty seat belt in a car? I don't understand how that's malicious. DETH VEGGIE I think it's also.. the point is that there are already things like that out there. In fact when we released Back Orifice all these people came out of the woodwork and went like "hey I had something that did this exact same thing months ago." And because nobody had announced it publicly, nobody was protected against it. Nobody knew that hey, you know, when I'm using my credit card to buy shoes on line, somebody could be capturing that credit card information. Nobody knew that their computer was open to basically anybody who wanted to take a look at it. CORBIN But surely when you create something as powerful as Back Orifice that could have such an evil purpose in the wrong hands, that's very irresponsible. DETH VEGGIE What I was going to say is that when we released it we consciously made several decisions. We made limitations as far as it would go because we didn't want it to be abused too much, like things like not making it viral in that it wouldn't reproduce itself, and not making it polymorphic, things like that. CORBIN It wouldn't change itself? DETH VEGGIE So it wouldn't be impossible to control. SIR DYSTIC But basically I mean the anti-virus' response to it was they started scanning for the Back Orifice programme. One of the interesting things was at that time they also started scanning for a bunch of other similar types of applications, many of which had been around for six months to a year, but they had never bothered to scan for those programmes because nobody was talking about it, nobody was making an issue. If we'd wanted to be malicious about it, we wouldn't have made as much noise about it as we could. We tried to get as much media about it as possible because by raising the awareness of the issue is the only way that anything is going to get done about it. If we'd wanted to be malicious we would never have told anybody about it and we'd be out there exploiting people successfully because. CORBIN Yes, but aren't people using your programme in a malicious way? Isn't that the end result of what you've done? DETH VEGGIE I think when we released it we were very - this may have been kind of idealistic of us but I know that I personally, I hoped and I really believed that by releasing something that was this powerful, Microsoft in this case, would be forced to fix the fundamental problems. The fundamental vulnerabilities, whether or not someone is using a programme to exploit them, are still there and that's a problem. I mean I use Windows computers. Most of the world.. you know, single most popular operating system, and it's pretty scary that there is no security inherent and we hoped that we'd be able to force them to fix that. Unfortunately the response turned out to be basically spin control from the marketing department. CORBIN What about Microsoft's response to your product? DETH VEGGIE They basically buried their head in the sand and said that it wasn't at all a problem and they put out a couple of press releases going point by point talking about issues and our response at the time was to go through and do a point by point response, showing how each of their responses was either misleading or simply untrue, or many of them at least, certainly not all of them. And you know we really didn't even like make that much of a big deal of it after that, but within a matter of months Back Orifice had become so widespread that you could pretty much check any sub net in the world and find it on one or two machines. CORBIN But surely that's the point. You created it and you say you wanted to show up the flaws in the system. But other people out there went and used it for nefarious, malicious purposes. SIR DYSTIC The fact that it was on those machines doesn't actually mean that it's being used for malicious purposes. In fact huge numbers of people actually mistakenly infected themselves because they heard on the media, and this was something I totally didn't expect to happen, they heard about Back Orifice in the media, they went to our website and downloaded it, not looking at the documentation at all they went and ran every single programme, and one of those programmes of course is the programme which runs the server on your computer. CORBIN But surely it shows the dangers of creating such a powerful tool which, in the wrong hands, can really be out of control? SIR DYSTIC Certainly but it's not really any different than any other remote administration system. Somebody has Microsoft, someone wrote administration system installed on their computer and their computer's been compromised. You can control the system remotely through that. Ours is just incredibly small, efficient and has a lot of functionality. DETH VEGGIE I think that we took some of that into consideration when we were designing B02K the second version, for instance since we made it so that it didn't have a default port and password so people couldn't accidentally install it and they actually had to set it up to things. But in my view I think that the ultimate responsibility for these problems lies not with us for pointing them out but with the people who created a fundamentally flawed product in the first place. It's no more the responsibility for people dying in Ford Pintos was not Ralph Nader saying hey look you've run into a Ford Pinto from behind it explodes, it was Ford's responsibility for building something that exploded when you ran into it. SIR DYSTIC But more importantly than even really forcing Microsoft to fix the problem, which obviously they're not going to do because that would require essentially abandoning one of their entire platforms, it's more important that people are aware that these are issues. People who get their computer and go on line first day, it probably never occurred to them that it's even possible for their computer to be taken over remotely. But the fact that BO was so widespread and got so much media attention has made so many people aware that that's a possibility and maybe their decision was okay I'm not going to do on line commerce, or I'm not going to do my home banking. Or maybe their decision was I'm not going to use Windows 95 because it obviously has these problems. But it's really just important that people are aware of the actual issues - DETH VEGGIE So that they can make and educated decision. SIR DYSTIC Exactly, as opposed to a decision based on Microsoft's marketing. CORBIN I mean you've outlined your reasons for doing it very clearly, but I have to say to you that most people out there just think that these guys shouldn't be doing this kind of thing. SIR DYSTIC We don't think the same way as most people. We know that. CORBIN Deth Veggie? DETH VEGGIE I actually believe that anyone who thinks that way just really doesn't understand the situation. SIR DYSTIC I'll give you an example. After I released it I received hundreds and hundreds of emails from various different people and I received emails from people who had had their computers taken over, and not a single one of them blamed me for it. Not a single one of them was mad at me, and every single one of them said the same thing to finish which was "I'll never let this happen again". CORBIN Aren't you afraid that law enforcement is going to be on your back at some point over all of this? DETH VEGGIE We've done nothing illegal. We've talked to law enforcement. They're not happy about it but I don't think they are holding a grudge against me for it certainly. CORBIN What about Microsoft, how do they feel about it? DETH VEGGIE Which part of Microsoft, their marketing department, their programmers, Bill Gates himself? I mean everybody is going to have their own opinion and certainly anybody in marketing is not going to like any negative publicity, certainly people who are the technical nature I would hope at least appreciate the work that went into the product. I mean everybody is going to have their own opinion. I don't expect Microsoft to like it but I do expect them to at least admit that these are real issues and answer to them. CORBIN Talking about law enforcement, moving on from Back Orifice specifically but to the whole sort of hacker area, it seems, particularly in America, that people are getting more serious about pursuing people that they believe have compromised computers or broken in in an unauthorised way. I mean how do you feel about the way that the law if beginning to treat this? DETH VEGGIE I don't have a problem with pursuing people who have actually broken into computers. I think that my opinion is that when someone goes into a computer and damages a system, destroys data, things like that, they stop being a hacker and they become a criminal, and at that point more power to law enforcement. If they're going in and destroying things then they should be punished. SIR DYSTIC One distinction I'd like to make though is that I don't think most people who I would consider hackers do any type of hacking for personal gain. They do it for exploration purposes, information purposes, but they're not out there stealing money from people. Those are the organised crime people. Those are people who are thieves anyway and happen to have picked up the technical knowledge to steal stuff in any way. CORBIN But people don't like the fact that people are breaking in to their computers. They see it as their own personal domain, even if those people aren't stealing anything it's felt to be an invasion of privacy. SIR DYSTIC Invasion of privacy, absolutely, but still, one of the other issues is that people who are getting caught for what I consider to be essentially victimless crimes, breaking into a computer, looking around, not stealing anything, not deleting anything, are getting sentenced to completely unreasonable sentences because they're being made examples of because the chances of actually catching and prosecuting somebody completely for these types of crimes happens so rarely that when it does happen they want to make and example of them. DETH VEGGIE It's not just that, it's that a lot of times in the case it'll be like sort of an arbitrary monetary damage - okay he caused X millions of dollars worth of damage, and then it turns out that the person actually didn't do any damage. What they're doing is okay, that was the cost to go in and patch the holes. The problem with that is that this person did not create those holes. They're not responsible for those holes. All they did was enter through holes that are already there, and whether or not that person came in and exploited them, somebody else could have been doing it, it could have been someone coming in to do actual damage. CORBIN Do you think that law enforcement is getting the right people when it arrests those that it believes are responsible? DETH VEGGIE It's just like any other activity. Sometimes they get the right person and sometimes they don't. SIR DYSTIC I think that with the cases that they tend to go after tend to be the cases that got the most media attention, and the cases that got the most media attention are usually not malicious or particularly ingenious hacks. They're - DETH VEGGIE Web page hacks. SIR DYSTIC Web page hacks, a lot of this service stuff. Those aren't dangerous things. That's not somebody stealing millions of dollars from a bank which is what you really need to worry about. DETH VEGGIE Well I kind of disagree. Denial of Service attacks can be like very malicious and very dangerous. CORBIN Well of course we've seen some this year, haven't we, in February, a great rash of them. Now again there were tools out there that people took advantage of. I mean did you see that coming up? Was that on the horizon? DETH VEGGIE Absolutely. SIR DYSTIC I'd been saying that exactly that was going to happen for years and years. In fact two days before the denial of service attacks I did an interview with a TV station and talked about specifically that, about how in the underground there are people who are collecting lists of ownable and exploitable machines which to be used for some unknown purpose in the future, and that's very exactly what happened. But the attacks we've seen so far have been very, very low tech and very reserved and not particularly successful in my opinion. CORBIN What could happen though? SIR DYSTIC What could happen? I think a worst case scenario would be like a programme for Windows which was by virusidic and wormed itself, that means it copies itself to other automatically hacked into other computers and if that programme were designed to attack a specific website or something it would be so widespread that there would be really little that they could do without actually cutting off access to their legitimate customers because they wouldn't be able to distinguish between the attacking machines and legitimate customers. All they would see was huge amounts of traffic that are overloading their servers. DETH VEGGIE A competent security person could basically shut down the internet. I mean it is completely technically possible, and the fact that it had.. CORBIN Break down completely? SIR DYSTIC Yes, there are fundamental flaws in the internet. DETH VEGGIE - in the protocol that the internet uses, the internet protocol, IP, there's fundamental problems with it that if somebody who knew what they were doing could make the internet unusable for a large amount of time. SIR DYSTIC There's another of the CDC members, Mudge, actually was testifying before the US Senate, was it last year - two years ago and said the same thing in front of the US Senate that if he or any of the other people that knew this sort of thing were inclined, they could take down the entire internet and that needs to be, you know, those are serious vulnerabilities that need to be taken care of. DETH VEGGIE But keep in mind that the people who have that level of ability is the very, very tip of the pyramid. It's an incredibly small number of people and those people have that ability because they have worked with computers and security for years and years and years, and in that time they get over the whole.. you know, oh boy I'm breaking into somebody's computer and I'm going to go change their wallpaper. You get over that really quickly in the first several months. SIR DYSTIC That's really big when you're a 13 year old, but.. CORBIN You're saying that when you get older ethics creep in and you do actually do the right thing? DETH VEGGIE Yes, when you're a 13 year old kid it's the Beavers and Butthead syndrome, you know, you mess stuff up, whereas as you get older and you mature, you develop a sense of ethics, of right and wrong etc. CORBIN But surely the danger is that if the internet is that vulnerable, and there are some people who can wreak havoc that someone could pay them a great deal of money or.. DETH VEGGIE Absolutely. SIR DYSTIC Absolutely which is why we spend so much effort trying to point out these problems to people and hoping that.. I mean we can't solve the problems. We can offer solutions but nobody has to listen to us. All we can do is raise the awareness of the issues and hope that people care enough to make them be fixed. DETH VEGGIE It's like with the denial of service things, as Sir Dystic said. That's something that we've been talking about for years, not just us but people from the hacker community, people from the computer security industry had been saying for years like hey, look, this is a real danger. And then, but then all of a sudden it happens and people act like really surprised like on my God, how did this happen, it's like well, we've been telling you. SIR DYSTIC And like I said.. DETH VEGGIE I was surprised it hadn't happened earlier. SIR DYSTIC Exactly, and I'm also surprised that it was that badly executed. DETH VEGGIE Yes, that it was that easy to set up. I think that the first couple of them were well executed. I think that the vast majority of the ones that we saw were copy cat attacks. SIR DYSTIC True. DETH VEGGIE And those were the ones that were just kind of sloppy. CORBIN So what's the answer then, to stop these kind of attacks, to bring some kind of security? DETH VEGGIE To stop which kind of attacks? CORBIN Well some of the scenarios that you've outlined, whether it be denial of service or of organised crime gangs, getting hold of people. I mean what is your message to people? DETH VEGGIE There's a technical solution and there's a social solution. The technical solution is obviously find every hole and fix it and that's never going to happen because there's always going to be other problems. The social solution is to make people aware of the dangers that go with being on the internet and hope that they can use their own intelligence to protect themselves some way, and granted if all that requires is running some product that some company has provided that actually protects you, that'd be great, but there's no one product that actually provides you any great amount of protection so far. SIR DYSTIC Well there's varying amounts of protection. DETH VEGGIE What exactly? CORBIN What about laws because Congress is looking at various bills to strengthen the law. Is that the answer? DETH VEGGIE It's not the answer. I think the problem with that is that it's all after the fact. I mean you can legislate the heck out of something but it's not going to stop people from doing things beforehand. It's not going to make it harder for them to do it. It just means that okay if they do it they'll be punished. SIR DYSTIC And we know that punishment is definitely a deterrent, right? DETH VEGGIE Yes, I mean with the development of money instead of the idea of putting money into bank vaults they just left the money in paper bags on the street and just said well if you take that money you'll be in really big trouble. You know, it's important to do both. But some of the laws that are being looked at right now are actually counterproductive. Like.. what's the name of the law.. the thing that's being..? DETH VEGGIE The reverse engineering thing? SIR DYSTIC Yes, the reverse engineering thing. If you hold on for a second I can find out what's.. CORBIN No, I know what you mean, yes. What's the dangers of that? DETH VEGGIE Well because that basically prevents people from looking at something and seeing if there's problems, but the criminals, the people who you should worry about, they don't care if it's illegal to break into systems, so if they're planning on doing that, then why would they care if it's illegal to backwards engineer it. SIR DYSTIC It's basically trying to make it security through obscurity. DETH VEGGIE If we make it illegal for people to analyse this stuff, to find bugs in it, then people won't find bugs in it which is just not true. CORBIN You're painting a pretty dark picture of all of this. Is that the way you think we're going? DETH VEGGIE Of which? CORBIN Of the general vulnerabilities, the dangers. SIR DYSTIC You know the internet is a very dangerous place to be and it's being marketed right now as being this neat toy that everybody should come play with, and you know, get online today, and you don't get any warning when you log online. You don't get a warning that says look, you are opening yourself up to these possible ways of being exploited. So it is, in my opinion, a dark situation and like I said, I think that the only way to deal with it is use your education, you know. DETH VEGGIE I think you're a little more pessimistic than I am. I think that the internet, although I think it's tremendously powerful, like tremendous.. SIR DYSTIC Potential? DETH VEGGIE Well, I mean it's a very powerful took and the potential there is for it to either go to very dark future or to a very positive one, it just totally depends on how and what happens now as to what.. you know, what it will develop into. CORBIN Why did you create Back Orifice and release it? SIR DYSTIC I released Back Orifice to point out the risks that people are putting themselves at by using various operating systems which were essentially created with no security built into them. CORBIN Which one? SIR DYSTIC Well specifically Windows 95 is what the original Back Orifice ran on. Windows 95, from what I understand, Microsoft actually took in marketing survey when they were preparing to create it where they itemised or asked people how much they valued each of the different features that they wanted to be into the product and security was somewhere around 24, and of course any time you put security into something you sacrifice usability. Every time you have to log into something or whatever, you have to.. it makes it that much.. or in Microsoft's opinion more difficult to use, or more annoying or whatever, so they do things like save your passwords for you which completely defeats the point of having a password, things like that, and again it was just a marketing decision. They want to market it to six year olds and grandmothers and they don't want to have to deal with.. you know, access control lists and other, you know, big security words that they don't understand. DETH VEGGIE I think fundamentally there's security, be it computer security or physical security is always at odds with convenience. SIR DYSTIC Oh absolutely. DETH VEGGIE The analogy that I always use is that it would be really nice if you didn't need a key to start up your car, but that's not the way the world works. That's not reality. CORBIN That's what you need. DETH VEGGIE Kind of an interesting analogy to that with like for instance saving passwords, catching passwords is like well we need a key to start the car but we'll leave the key in the car. CORBIN That's what you think Microsoft does. DETH VEGGIE The problem is there's so much encasing passwords, the problem is encasing passwords that anybody can read. CORBIN So you say you released Back Orifice to show up the shortcomings and the security of Microsoft systems, but most people say it's just a really malicious thing to do, and dangerous. DETH VEGGIE Well if they heard about it then I accomplished my goal which was to make people aware of these problems. CORBIN Yes but it's still out there and people can use it against other people in a pretty unpleasant way. SIR DYSTIC WellBack Orifice is scanned for in all the major anti-virus software, so the only people who I guess would technically be at risk to it at this point would be people who didn't even bother to run a virus scanner, and they're going to be vulnerable to gazillion different things that are equally if not more dangerous. CORBIN What about ordinary people though, who might not know about that? SIR DYSTIC That's whose awareness I'm trying to increase. I'm trying to make ordinary people aware of these issues. DETH VEGGIE The problem is, is if we'd just started, you know, there wouldn't really be any way for us to publicise the fact of these vulnerabilities, I mean we could have gone on the street corner and started yelling but then they'd just throw us in jail because we're crazy. I think there's pretty limited amount of things you can do to actually be heard. CORBIN But how do you feel when you know that there are people out there whose machines have been infected as it were, with the software? DETH VEGGIE If they're actually being exploited I feel terrible. I mean I think that's really bad. I don't feel responsible. I think that the responsibility ultimately lies with the people who actually are responsible for these problems which, in this case, would be Microsoft. CORBIN Yes, but you created it and put it out there. Surely you must bear responsibility or some responsibility. DETH VEGGIE I don't feel responsible. I've actually thought about this a lot. Like I said, I feel really bad about it, but I think that what Microsoft is doing, the analogy that I use is that basically handing out loaded guns to school children and what we're doing is saying hey, that's really, really dangerous, and... SIR DYSTIC We're pointing out to the kids that if you pull that trigger you can get hurt. Probably a lot of those kids are going to pull the trigger immediately but.. you know, that happens. (laughter) CORBIN Sir Dystic why is the internet so vulnerable? In a nutshell. SIR DYSTIC Because it all is essentially using technology which was designed 20 plus years ago that was not designed for this type of use at all. It was for small, private, academic and research originally and it's using the exact same protocol since day one. There were these fundamental problems in that protocol when it was designed and because everybody is using that protocol now, it's going to take a huge amount of effort to get everybody to switch to a new protocol that doesn't... DETH VEGGIE They're working on it. SIR DYSTIC Oh yes, sure. DETH VEGGIE But I think another problem isn't just the age, it's the fact that because it wasn't designed for this, sort of hobble along doing this, it was hacked and patched together by a million people over the past 25-30 years, able to make it possible to function in the way that it does. CORBIN So it was sort of added to in little exponentially bits and pieces. SIR DYSTIC Exactly, by lots of different people. CORBIN Rather than a whole system being designed. SIR DYSTIC Exactly, and I mean that's a very sort of like over simplification but you don't want me to get very technical about it. CORBIN Sir Dystic, why don't you go and work for Corporate America, you could make a fortune with your skills. SIR DYSTIC What makes you think I don't? CORBIN Deth Veggie, why don't you go and work for Corporate America? DETH VEGGIE We all have day jobs, but that's separate, you know, and a lot of us actually work in the computer security industry doing what we can to make computers and systems more secure. CORBIN Okay. So do you? SIR DYSTIC I work in the computer industry but I don't actually do security. I write software for a living and I do it in my spare time. CORBIN Okay. Thank you. (End of Interview)