technical see the announcement →
Cult of the Dead Cow
Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World · ·290 pages
History of cDc (Cult of the Dead Cow), the pioneering hacking supergroup that coined hacktivism, built Back Orifice to force Windows security reckoning, testified to Congress under hacker handles, and whose alumni (Mudge/Dildog/Weld Pond) built the modern professional infosec industry.
Capabilities (6)
- › Apply coordinated disclosure framework: notify vendor → wait → publish if ignored
- › Distinguish hacktivism (human rights defense) from black-hat hacking and DDoS attacks
- › Explain Back Orifice architecture as case study in exposing platform-level security failures
- › Trace the L0pht → @stake → modern AppSec industry lineage
- › Frame security research with narrative strategy to drive policy change
- › Evaluate when full disclosure vs coordinated disclosure is ethically justified
How to use
Install this skill and Claude can apply the cDc coordinated disclosure framework to vulnerability reporting decisions, evaluate hacking operations against the cDc hacktivism ethical test, trace the L0pht-to-AppSec-industry lineage for historical context, and advise on narrative strategy for security disclosures designed to drive policy change
Why it matters
The norms around vulnerability disclosure, responsible security research, and offensive tooling ethics that govern today's industry were forged by cDc and L0pht — understanding this history clarifies why those norms exist and how to apply them when facing real disclosure, hacktivism, and security research decisions
Example use cases
- › Advising a researcher who found a critical flaw in critical infrastructure software with an unresponsive vendor on whether to apply the 90-day coordinated disclosure window or move to immediate publication
- › Evaluating whether a proposed hacking operation targeting a surveillance company meets the cDc hacktivism ethical test or crosses into black-hat territory
- › Structuring a public disclosure announcement to maximize policy impact by drawing on the cDc Back Orifice media pre-briefing and theatrical DEF CON release strategy
Cult of the Dead Cow Skill
cDc at a Glance
- Founded: 1984, Lubbock Texas (pre-web BBS era)
- Peak: Never more than 20 active members — functioned as a supergroup
- Legacy: Coined “hacktivism”; shaped coordinated disclosure; inspired professional infosec industry
Key Members and Career Trajectories
| Handle | Real Name | Major Contribution | Later Career |
|---|---|---|---|
| Mudge | Peiter Zatko | L0pht founding, L0phtCrack | DARPA cyber lead, Twitter CISO |
| Oxblood Ruffin | Laird Brown | Coined “hacktivism”, Hacktivismo | Human rights hacking advocacy |
| Sir Dystic | Josh Buchbinder | Created Back Orifice (1998) | Underground fame |
| Dildog | Christien Rioux | Back Orifice 2000, L0phtCrack v2 | Veracode CTO |
| Weld Pond | Chris Wysopal | L0phtCrack co-author | Veracode co-founder |
| IOerror | Jacob Appelbaum | Tor advocacy, WikiLeaks | Expelled from cDc 2016 |
| Javaman | Adam O’Donnell | Security research | Cisco security |
Ethical Frameworks cDc Pioneered
Hacktivism
Definition (cDc, ~1996): Hacking in defense of human rights.
NOT: defacement, sabotage, or destruction.
YES: exposing censorship infrastructure, circumvention tools,
disrupting authoritarian surveillance.
Hacktivismo project: created tools for Chinese citizens to bypass
the Great Firewall — applied hacking skill to human rights cause.Coordinated (Responsible) Disclosure
The L0pht model (1990s–2000s):
1. Discover vulnerability in commercial software
2. Notify vendor privately — give them time to patch
3. If no response after reasonable period → publish advisory
4. If vendor patches → credit researcher, publish technical details
Contrast with:
- Full disclosure: publish immediately, force vendor's hand
- No disclosure: sit on it (dangerous, no pressure to fix)
- Bug bounties: current industry standard evolved from this model
Key tension: researchers want credit + pressure; vendors want time + quietThe L0pht Congressional Testimony (1998)
Seven L0pht members testified to US Senate under hacker handles.
Core claim: "We could take down the internet in 30 minutes."
Impact: forced Washington to take cybersecurity seriously as policy
Key asks (still relevant today):
- Coordinated national cybersecurity defense (not just offense)
- Reform of Computer Fraud and Abuse Act (CFAA)
- No government backdoors in commercial products
- Centralized cybersecurity agency (eventually became CISA)Back Orifice (1998) — Case Study in Ethical Offense
What It Was
Remote administration tool (RAT) for Windows 95/98
Author: Sir Dystic (Josh Buchbinder)
Released: DEF CON 6, August 1998
Capabilities:
- Keylogging on target machine
- Encrypted C2 traffic
- Plugin architecture for extended modules
- Default port: 31337 (leet) — easily blocked, intentionally
Delivery: bundled with any .exe, emailed to victimWhy cDc Released It
Goal: Force Microsoft to address Windows' fundamental security architecture
Microsoft's architecture flaw: any program could silently receive
inbound network connections — no permission model, no user notification
Effect:
- Microsoft couldn't deny Windows insecurity (hundreds of thousands of downloads)
- Forced media and public to reckon with platform-level security failures
- Microsoft eventually built security response team infrastructure
- Spawned the modern understanding of RATs / remote admin toolsThe Media Strategy
cDc's approach (template for security researchers today):
1. Pre-brief journalists (Wired, NYT, CNN, BBC) before release
2. Theatrical DEF CON presentation — showmanship = coverage
3. Coordinated message: "We're exposing Microsoft's negligence"
4. Let tool speak for itself — hundreds of thousands proved the point
Lesson: technical demonstrations need narrative framing to drive policy changeThe L0phtCrack Lesson
Tool: Windows NT/2000 password auditor
Purpose: demonstrate weak hashing (LM hash — split into two 7-char chunks)
Model: sell as security audit tool → legitimate revenue → sustain research
Key insight: the same tool that cracks passwords IS the audit tool.
Defense teams need to run attacks against themselves.
This became the pentest industry model.
Evolved into: @stake (first major professional hacking consultancy)
Eventually: Veracode, Rapid7, and the modern AppSec industryHacking Culture Milestones cDc Drove
| Year | Event | Impact |
|---|---|---|
| 1984 | cDc founded on BBS | First hacker “content” publisher |
| 1993 | First DEF CON with media/law enforcement invited | Opened hacking to public discourse |
| 1996 | ”Hacktivism” coined | Named the ethical hacking movement |
| 1998 | Back Orifice released at DEF CON | Forced Windows security reckoning |
| 1998 | L0pht Senate testimony | Hacking entered US policy debate |
| 1999 | L0pht → @stake | First professional hacker consultancy |
| 2000 | Back Orifice 2000 (Dildog) | Cross-platform RAT architecture |
| 2002 | Hacktivismo Tools | Censorship circumvention for China |
| 2004 | Tor advocacy (Appelbaum) | Privacy tool mainstreamed |
| 2010s | cDc members advise Presidents, Microsoft, Apple, Google | Infosec institutionalized |
Modern Relevance: Frameworks for Security Ethics
When to Disclose vs Withhold
Use coordinated disclosure when:
- Flaw is in widely-deployed commercial software
- Vendor has security response process
- Exploitation would harm civilians
Use full disclosure when:
- Vendor has been notified and ignored for 90+ days
- Vendor denies severity publicly while privately not patching
- Public is actively being harmed
Do NOT:
- Sell to offensive brokers for weapons use
- Exploit without authorization (CFAA violation)
- Combine research with active exploitation against targetsThe Hacktivism Ethical Test
cDc's original framework:
✓ Does it defend human rights?
✓ Does it avoid harming innocents?
✓ Is the target actively causing harm?
✓ Is there a legitimate non-hacking remedy available?
✗ Defacement for publicity only → NOT hacktivism
✗ DDoS against political opponents → NOT hacktivism