Earlier today, Reuters' special reports site "Reuters Investigates" published a report on Beto O'Rourke, a democratic presidential candidate from Texas. The report is sourced by interviews with O'Rourke and other members of a hacktivism community from the BBS days of the internet, of which O'Rourke was a part. It is also adapted from a forthcoming book: Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World.
I wanted to give my take on it as both an infosec consultant and an avid follower of the 2020 political cycle. For reference (and as a disclaimer of sorts), I'm a white man who considers myself a democrat, but I do not support the current wave of far-far-left candidates appearing recently, as I believe it's better to take small steps that have small benefits, rather than putting everything on the table immediately and achieving no benefit whatsoever. I also believe that Americans should be pushing to mitigate issues of gender and racial inequality that still persist today. Beto O'Rourke is a candidate that naturally appeals to me and is one of the candidates I am most likely to vote for in the upcoming primaries, along with Kamala Harris and Joe Biden.
I want to start by saying that I don't consider this report a "hitpiece". The title of the report is rather clickbait-influenced, but it is for all intents and purposes true. Everything in the article is written with a view of "This underground community is really neat and weird", which makes sense given the title of the forthcoming book it comes from. It also makes several references to "Footloose" to push the idea of this really being an underground movement to do what they think is right.
This also seems to play very strongly into one of the defining aspects of the American political environment since Trump's presidential campaign: Different political extremes will see the same things, and use them as evidence that they are right. Most recently we are seeing this with the popularity of Alexandria Ocasio-Cortez, whose various stunts (intentional and unintentional, mild and severe) are being seen as immature by the right, but relatable by the left.
In this case, those on the right will see the actions outlined in this article as criminal activity that immediately disqualifies one from public service. The moderate left will likely see this as a non-issue and maybe even a positive, showing that O'Rourke had strong convictions to help the world, even as a misfit teenager. The progressive left will probably be split between the same ideas as the moderate left, and the idea that this makes O'Rourke less of a "pure" candidate than their favorite progressive.
The report actually seems to speak more about what the "Cult of the Dead Cow" community did, rather than what O'Rourke himself did. And that makes perfect sense, as the book this was adapted from is not about O'Rourke; it's about the community he was a part of. It seems that the report basically outlines three major points of activities that O'Rourke was involved in, that people may find problematic:
Stealing dial-up internet
Pirating video games
A series of (admittedly cringe-inducing) thinkpieces about the pitfalls of modern society and the benefits of anarchic activism
The first two were the ones that were actually illegal in any way, but the report describes how honestly they were not big deals. And I agree: If we can consider a candidate who stole electricity from his neighbors in his past (Source), we can consider a candidate who did the same for an internet connection in his past. And that's not even considering the various damning actions of the current president from his past, the most notable of which was his bragging about sexually assaulting women (Source). And he managed to actually win the election.
A strongly understated point in the report is that Beto O'Rourke did not engage in any black hat hacking or other cybersecurity-related crimes. His involvement in the community was limited to mainly the philosophical thinkpieces, and the desire to be in an underground community of those who had the same taboo ideas as he did.
And this now brings us to the ideas in question. There is no doubt that the "murder fantasy" is going to be what gets quoted on every news broadcast, and I totally understand why - It's really really weird. However, when you think about the mindset that leads to writing things like this, you can start to understand it. The idea of younger people getting hooked on ideas of anarchy isn't necessarily rare (see the increased praise of extreme communism in millenial/gen-z culture today, thinking like the "eat the rich" attitude), and although it is a little cringy and sometimes venturing into the realm of "disgusting", it actually does make sense when you realize this is a teenager realizing for the first time that there are some seriously messed up things in the world, and having a crisis over it. And in the case of O'Rourke, it seems to have mellowed out into a genuine desire to want to fix things within the system, instead of just going for all-out anarchy.
The community in question, when they were actually doing concrete security-related activities, were typically working within a mindset of "hacktivism", basically either trying to directly improve the state of global human rights, or to indirectly improve it through protest. Perhaps the most influential example of this was through the "Back Oriface" malware, which essentially was a trojan that let users remotely control the target machine. It was publically debuted at the DEF CON conference, and was essentially a gambit warning the world "Hey, you know all these 'personal computers' everyone's using nowadays? These can be very very easily used maliciously." The effect? A much stronger focus from Microsoft on the security of their PC OSs.
They also made tools specifically for the purpose of increased privacy and security on the web, such as the end-to-end encrypted IM system ScatterChat (In 2006 - Take that, Telegram!), and various other integrations of onion routing into consumer software, including web browsers.
So, what does this mean for O'Rourke? Well, considering he apparently wasn't involved in a lot of the actual black hat hacking work, not a lot. However, it does mean that he was involved with hacktivism, at least tangentially, and the idea that "hacking" isn't some spooky voo-doo concept that that is always bad, forever, no matter what. Beto O'Rourke could potentially be the catalyst to start to open some minds, in a government that very frequently just pushes aside the idea of hacking as "100% evil" and uses that as an excuse to drum up arbitrary numbers of charges against someone for one action (looking at what's going on with Marcus Hutchins right now).
But hey, maybe that's my love for the 1995 film "Hackers" talking.
Realistically, going forward I don't expect much actual good to come from the discovery of Beto O'Rourke's history with cDc. It's going to be far too easy for people to very quickly handwave away any serious discussion with a quick "hacking is against the law so he's a criminal". I guess the best case scenario would be the government starting to get some open minds about hacking, and a potential rework to existing cybersecurity law. The worse case scenario would be a reinforcement of existing prejudices, with this as ammo (i.e. "Look, this guy is a hacker, and look at the things he's writing about! And he's running for president!").
Personally, hearing about O'Rourke's involvement with cDc has made me more excited to see where his campaign goes, but honestly, "interest in cybersecurity" is pretty low on my list of important attribtues for a presidential candidate, with things like "likely to help fix the racism/sexism problems in the US" (Harris leading) and "likely to win the general" (Biden leading) being much more important. It would be really neat to see O'Rourke as a VP on the general ticket after an early concede, though. I feel like that would be a fantastic spot for him to start influencing the government in the realm of cybersecurity law, while also not being in the most important position in the free world.
Learning to code products doesn't take as long as you think - more precisely, 300 hours to learn, build, and launch. Learn about the history and misconceptions of development preventing you from even starting and then hop on that tech bus.