USC Annenberg Online Journalism ReviewUSC

An interview with cDc's The Deth Vegetable

On August 1st at DEFCON, the annual hacker convention held in Las Vegas, the Cult of the Dead Cow unveiled a program that promises to be the latest hacker thorn in the side of Microsoft. The program, called Back Orifice, allows hackers to remotely control any PC running Windows 95 or 98 that isn't shielded by a properly configured firewall. The cDc, which demonstrated the program before a standing room only crowd in Las Vegas, has managed to get the attention of most major networks and news services.   The program, which can be installed either directly or as a 'trojan horse' (installed without the user's knowledge), has two components: the server, which is installed on the host machine, and the client, which controls the operation of that host machine remotely.   The server, once installed, is undetectable and allows not only remote administration of the host computer, but also provides keystroke logging and network packet sniffing. This means that information such as user names and passwords, which tend to float around networks unencrypted, are easy pickings for Back Orifice.   The risks to stand-alone PCs are minimal. If your computer is not connected to the Internet, for example, Back Orifice poses no threat. Microsoft claims that users who access the Internet using a dial-up PPP account are at fairly low risk because the IP address changes each time you log on. But the program's ability to sweep through lists of addresses and network blocks while searching for active servers puts any machine connected to the Net at risk.   Perhaps most significantly, Back Orifice makes every PC running Windows 95 or Windows 98 on a public network suspect. Likely targets might be college and university computer labs, where students routinely log into their e-mail accounts or public access terminals such as libraries or even your local Kinko's computer center. These computers, which have static IP addresses, could easily have the server installed on them in a matter of seconds and be vulnerable to remote control and electronic snooping.   On August 4th, in a security bulletin, Microsoft acknowledged the program's release and promptly stuck its head in the sand, announcing that 'Back Orifice does not expose or exploit any security issue with the Windows platform or the Microsoft BackOffice suite of products' and that users were not at risk as long as they followed 'safe internet computing practices.' Those 'safe practices' basically warned users not to install Back Orifice on their machines and for everyone else to put up a firewall to protect their network, which is kind of like telling Wells Fargo to build a big wall around the bank so they don't have to lock the vault at night.   In any event, the cDc and Back Orifice have made headlines. In order to find out more about both, I talked with The Deth Vegetable, the Minister of Propaganda for the Cult of the Dead Cow. Below are the transcripts of that conversation.   First off, can you tell us a little bit about the cDc? How long has cDc been around? What kind of projects has cDc been involved with?   Well... There are those that would say that the Cult of the Dead Cow is simply the modern incarnation of an ancient gnostic order that dates back to the cult of Hathor, the cow goddess, in ancient Egypt.   Others may tell you that the Cult of the Dead Cow always has been, and always will be. A Universal Constant, if you will.   Of course, all these people are wrong.   In his book, '1984', George Orwell predicted a dystopia, peopled by soulless, spiritless, powerless drones, herded by a clique of absolute rulers, concerned only with maintaining their OWN POWER AT ALL COSTS...   1984... Ronald Reagan is President, it is a 'New Morning in America'.   In Texas, the heartland of America, the bastion of Patriotism and Old Time Religion, a small cabal of malcontents meet in secret.   They gather in a dark hovel, decorated with crude pornography, satanic iconography, heavy metal band posters and, most ominously, the skull of a DEAD COW...   As pirated copies of speed metal and hardcore punk music play in the background, these malcontents speak of their disillusion with The American Way and their obsession with their new computers.   As the music plays, they form an unholy alliance, dedicated to the overthrow of all that is Good and Decent in America.   Realizing that a bunch of punk kids from Lubbock have as much chance of that as Madonna becoming Pope, they then decide to dedicate their lives to pissing off the establishment, becoming famous, and getting on TV.   Thus was born the Cult of The Dead Cow, scourge of the Computer Underground, Bete Noir of high school computer teachers worldwide, The Pivot of Evil for all who seek to blame the messenger, as well as their message.   What is the history of Back Orifice? How did it come about and how long has Sir Dystic and cDc been working on the project?   Back Orifice has been a year or so in research/development, all told. About 6 months for each. Back Orifice was designed to expose some of the gaping holes in what passes for Microsoft Windows 9x 'security.' The holes that Back Orifice exposes aren't even really bugs, but more fundamental design flaws. Of course, Microsoft calls them Features.   Back Orifice does not do anything that the Windows 95/98 operating system was not intended to do. It does not take advantage of any bugs in the operating system or use any undocumented or internal APIs. It uses documented calls built into windows to do such things as: Display call cached passwords. This includes passwords for Web sites, dial-up connections, network drives and printers, and the passwords of any other application that sends users passwords to Windows so the user won't be inconvenienced by having to remember his passwords every time he uses his computer. Create shares hidden to the user and list the passwords of existing shares. Make itself mostly invisible. Back Orifice does not appear in the control-alt-delete list of running programs, and can only be killed by a low level process viewer which Windows95 does not ship with. To their credit, Windows98 does ship with a process viewer, but it is not installed by default. This is the second major program which has exposed serious security flaws in Microsoft (the first being L0phtcrack, released at last year's DEFCON). Why have hackers started targeting Microsoft's operating systems?   Well, there are a few reasons, I think... The most obvious one is that Microsoft is the big kid on the block, their OSs are the most popular in the world. Unfortunately... Quantity does not equate with Quality.   From the standpoint of Computer Security, Microsoft's OSs, particular Windows 95/98, are distinctly sub-par. Microsoft seems to have completely committed to a strategy of 'Security Through Obscurity,' preferring to play the ostrich with its head in the sand until confronted directly about the deficiencies... and even then, they seem content to issue fluffy marketing bulletins rather than fixes. When they DO release patches, they tend to be specialized fixes that treat the symptoms rather than the disease.   I think the number one reason that hackers have targeted Microsoft, though, is that Microsoft's overwhelming arrogance tends to key the disestablishment tendencies that are prevalent among the hackers of the computer underground.   There seems to be a well-established cycle with exploits in UNIX-based operating systems. Bugs are discovered, advisories are posted, patches are written and distributed, etc. That pattern hasn't seemed to evolve with Microsoft and the relationship between Microsoft and hackers seems far more antagonistic. Why do you think that is?   As I noted above, Microsoft has committed to a strategy of Security Through Obscurity. But guess what, Bill... Just because you don't ADMIT the holes doesn't mean they're not really there.   I think Microsoft has this twisted vision of their role as being an almost paternalistic one. They don't want anything to upset their users. Nothing to see here, go back to what you're doing. *pat* *pat* It's okay, go back to sleep.   Never mind that someone could be getting into your Windows box and copying all your Quicken financial files, or your TaxFiles, or anything ELSE you may happen to do on your convenient little PC. Computer Security is an increasingly important factor, and it is not one that Microsoft can be allowed to ignore.   Your initial press release says that 'A move like releasing [Back Orifice] means that the lowest common denominator of user will have to come to understand the threat.' Can you explain what that means and why you think that is important?   Well, Microsoft seeks to buffer the user from the actual workings of the computer. They give you a nice little gui, integrated web browser and all the bells and whistles. But why is there this file with all my passwords cached in plain text? Isn't that bad? Now-Now-Now, don't worry your head about that. Just watch the pretty pictures. Sleep...Sleep.   The problem is that if Microsoft wants to buffer their customers from the workings of the computer, then they have to do a hell of a lot better job of protecting them from OTHER people who DO understand the workings of their computer.   The real threat is not from 13-year old kids, and warez puppies, and the people who go to DefCon. The real computer security threat is in the realm of industrial espionage, organized crime, and plain old terrorism. (Can you imagine what kind of effect it would have on our economy if all the Microsoft Windows 9x computers suddenly ceased to function? Bad Juju.)   There has been a lot of debate about releasing software on the Net that can be used for hacking. When SATAN was released, there was a huge controversy and many people likened it to giving handguns to children and setting them loose. What is the impetus for publicly releasing Back Orifice?   It seems to be the only way to force Microsoft to sit up and take notice. We notified them about Back Orifice well over a month before releasing it to the public... and got no response. I know that the L0pht crew also notified Microsoft before releasing L0phtcrack... again, nothing. It was not until these things were released publicly that Microsoft actually pulled their head up out of the sand long enough to acknowledge that, yes, these holes in our security are bad.   We did not create these holes in Windows. They were already there, we are simply letting people know that if they use a Windows machine, their data is insecure.   A better analogy would be that Microsoft has already passed out the handguns, and we are saying 'HEY! That's REALLY DANGEROUS.' Our aim was that Microsoft would be forced to close the loopholes once Back Orifice hit the streets. Perhaps that was a bit idealistic of us, considering their lack of action so far, but we continue to have hope.   Another important thing to keep in mind is that we intentionally Watered down Back Orifice before releasing it. We made a conscious decision not to use a strong encryption scheme, or to make Back Orifice viritic/self-replicating, for example. Our goal was simply to increase awareness of these problems; it was NOT to foment anarchy on the Internet, or anything so melodramatic.   Back Orifice is only as dangerous as Microsoft's security is deficient.   There has been a lot of generic hype about Back Orifice, mainly that it can 'control your PC remotely.' As I look through the feature list, it looks like it can do a whole lot more than that. What are some of the features and implications for this program that are going unnoticed?   One thing that hasn't gotten much mention in the press is the fact that Windows caches all your passwords in unencrypted text. Now I, personally, consider that to be a pretty scary 'feature.'   Additionally, Back Orifice actually gives you better control over a computer than if you were actually sitting at the console of that computer. For instance, with Back Orifice you can implement drive shares that are hidden to the user! This is a BAD THING.   What's next for the cDc?   Global Domination through Media Saturation.