I learned a lot from this book. The history of the cDc engenders a great deal of respect for the early members as they skirt the line with legality while maintaining pretty fierce ethical and moral standards.
My single biggest struggle with the book is the way it is organized. Menn wants to keep the stories of individuals coherent, so he focuses on one or two member stories at a time, saving one big reveal for the last chapter. This makes a lot of sense to me, but it obscures the timeline, making it difficult to keep the events in chronological order, which in turn makes it difficult to connect various events and people to each other.
With that complaint out of the way, I can safely say I loved this book. I’m frustrated with my younger self because I was ankle deep in technology through the 80s and 90s but thought I was up to my chest and living on the cutting edge. I never viewed myself as a hacker, but I should have at least known something about this world while I was living through it. I should hire the “shame nun” from Game of Thrones to follow me around for a few days. -sigh-
Somewhere about chapter six, I became a bit overwhelmed with the names, and I really wanted a chart or a family tree to keep it all straight. I felt like too much of the history was getting jumbled in my head, so I started taking notes. (No small feat because I listen to books while walking in the mornings.)
The cDc and its subsidiaries are singly responsible for forcing capitalism to take computer security seriously, and with the EFF, arguably the most important players in protecting encryption. When the cDc presented Microsoft with vulnerabilities, they were ignored and then actively derided by the company, so with no other options, they released tools to allow any scriptkiddie to take advantage of the exploit. The first time they were forced to do this in the mid-nineties, it gave the cDc (l0pht) the leverage needed to create an ethical reporting system template: vulnerabilities would first be reported to a vendor with a timeline for repair. Negotiations on the timeline could then take place, but if ignored, the vulnerabilities would be exploited to force the hand of the vendor. While not made clear in the book, this appears to be the beginning of the various bug bounty programs most technology companies run now.
It’s difficult to encapsulate the influence of the cDc covered in this book, and I can’t really do better than the first couple of paragraphs of the epilogue:
“IN ITS EARLIEST days, the chief moral issues for the teens in the Cult of the Dead Cow were how badly to abuse long-distance calling cards and how offensive their online posts should be. But as they matured, the hackers quickly became critical thinkers in an era when that skill was in short supply. In an evolution that mirrored and then led the development of internet security, cDc went on to forge rough consensus on the complex but vital issue of vulnerability disclosure, to show that enabling strong security could be a viable business, and to merge the hacking spirit with activism on behalf of human rights. It also kept a remarkably big tent, roomy enough to include support for acts of civil disobedience as well as work for the military, as long as both were principled. They all helped push a realistic understanding of security challenges and ethical considerations into mainstream conversations in Silicon Valley and Washington. As the big picture in security grows darker, those conversations are the best hope we have.
One lesson from the Cult of the Dead Cow’s remarkable story is that those who develop a personal ethical code and stick to it in unfamiliar places can accomplish amazing things. Another is that small groups with shared values can do even more, especially when they are otherwise diverse in their occupations, backgrounds, and perspectives. In the early days of a major change, cross sections of pioneers can have an outsize impact on its trajectory. After that, great work can be done within governments and big companies. Other tasks critical for human progress need to be done elsewhere, including small and mission-driven companies, universities, and nonprofits. It gets harder to keep the band together over time, but cDc’s impact lives on in those whom members hired, taught, and inspired. That said, a movement cannot control its children. The Citizen Lab and Tor are one thing, while Lulz Security and Gamma Group are another. Trolling and fake news also owe something to cDc, and neither is anything to be proud of."
Anyone interested in the history of technology and/or technology security should read this book. Also, hackers. This is a book for anyone considering themselves a hacker because it contains great lessons: the good, the bad, and the ugly.