What drove you to release the Back Orifice software?
Reid and Count Zero (pictured) are members of the Cult of the Dead Cow, a hacker organization which developed "Back Orifice,"
a computer program which allows the user to remotely view and control
any computer running Windows 95 or later. They say they developed the program
to demonstrate the weak security in Microsoft products.
REID: For us, the motivation for releasing Back Orifice was that Microsoft has
the world's most popular operating systems installed on 90 percent of the
computers in the world, or at least the desktop computers. And those people
are being encouraged, urged, to take those computers and plug them into the
internet. Unfortunately those people are wide open to attack of various kinds.
We thought we would be serving the community best by demonstrating that we
could easily write a tool that would take advantage of that, and proof for the
ability to do that.
For the layperson who's never heard of it before, what would it allow
someone to do?
REID: Back Orifice is a program that comes in two parts. It allows
someone sitting at one computer to control everything going on at a computer at
the other side of the internet. So you can be sitting at a local machine and
you could see what's happening on a remote machine that maybe you've never
actually been to. As long as they've got the Back Orifice server installed,
your client machine can see what's on their desktop. They can take out the
mouse, take over the keyboard, and watch what's happening on the keyboard. You
could upload files to that computer, and download files from that computer.
You have what's known in the community as a "root kit." Essentially, you have
control over that machine as if you were there. In fact, you have more control
over that machine than the person sitting at the keyboard does, because we
expose more power through the Back Orifice tool than Windows 98 Desktop
What did you hope to achieve by putting it out?
REID: Ultimately, we were trying to get Microsoft to admit that they
were encouraging people to join this global community with a completely
insecure product, and then hopefully people will not store their credit card
numbers on their hard drives. They would not keep their diary there. They
wouldn't conduct business with this computer. Or, even more optimistically, we
were hoping that maybe they would implement a strong security model in Windows.
Neither of these things actually happened, so it's a failure on that count.
But those were pretty high goals, I think.
What was Microsoft's response?
REID: Originally, Microsoft's response was that Back Orifice was not an issue,
that it was something that no one should pay attention to. And then two or
three days later, they changed their tune, and suddenly Back Orifice was a
malicious tool designed to do nothing but wreak havoc. And then, less than a
week after that, their response was that Back Orifice is a tool that does not
expose any security holes in Microsoft Windows and should be considered a safe
and innocuous administration tool in the hands of a professional.
So everyone in the world who is using Microsoft at the moment is vulnerable
to Back Orifice, as we speak?
REID: Yes, either Back Orifice or Back Orifice 2000. They're capable of
running on Windows 95/98, [NT] and Windows 2000 machines. That's basically
everybody. . . .
COUNT: . . . People are saying, "Oh, there are going to be a lot of people who
are just. . . really mad at CDC for doing this," because their computers could
potentially be abused because of these vulnerabilities. Our take on this was,
"Well, they should be really mad at companies like Microsoft, who create these
environments that are just so unstable." We take it for granted now that
computers will crash several times a day. We take it for granted that you have
to be afraid when you get an email attachment; you have to figure out where
it came from. "Is it worth it to open this spreadsheet where I might blow up
my computer?" We've developed a kind of culture of a passive, beat-down fear.
. . . If you got in your automobile and every day it would stall several times,
and every once in a while it would just sort of randomly explode into flames
and destroy all of your personal belongings, like when your computer crashes
and you lose your files, you would be really mad, and furious at the car
manufacturer. . .
I think it's a real travesty that we see . . . these insecure environments as
the way it has to be, because, "Heck, it's always been that way." The people
who are calling the shots in terms of building it are just building them their
way, and they don't care. . . .
REID: It's more than just Microsoft producing what amounts to almost a
negligent security model in their operating system. It's also the fact that
they're marketing it specifically to end users who want to go on the internet,
people who may have bought their first computer ever. Those people are not
computer security experts. They don't know what's out there.
So it's like building a really cheap car and saying, "Now, drive this on these
really rocky roads," deliberately putting them in an environment where you know
that what they have designed is so inadequate for that environment, and
marketing it to student drivers. . . .
It seems patently obvious to the layman that if you point out this
fundamental flaw, it will be fixed. Why isn't it fixed? Why don't they fix
it? . . .
COUNT: They won't change something unless the people demand it. That's the
trick. And people are not demanding the security. . . .
REID: Although, in all fairness, we should point out that the beast on
Microsoft's back here is the fact that they need to be backwards-compatible
with previous versions of Windows operating system, which themselves were
insecure. So there may be legitimate technical hurdles for them to overcome in
order for a new version of Windows to have, in our eyes, nice security. But
then again, what kind of software company do you think could take on a
challenge like that, if not Microsoft? Do you think anyone other than the
world's largest software company could pull that off? And if they can't,
then we're all in trouble.
It's already happening. The open source movement is a kind of response
to that, where if the companies aren't doing it, then heck, all of these
millions of programmers around the world will do it. Apache is the
most popular web server software because . . . all the people who were
building it were the people who were going to be using it. And they . . .
solved that problem. Models will be built in there, because it will have
truly been something designed by technical people, who created security models
from the very beginning as part of the product. . . .
Back Orifice could now be used by the state to run surveillance on any
computer it wants?
REID: Absolutely. In fact, there have been various press releases by
different federal and state agencies, talking about how they've in fact hired
companies to write tools. Or there have also been news stories about
clandestine operations to write software, or companies putting out press
releases, stating that they've been hired by unnamed government agencies to
write software to do small subsets of Back Orifice's functionality.
I think even slightly more interesting is the possibility that somebody took
our open source code for Back Orifice 2000 and tailored it for their own
purposes and never told us. The entire code for Back Orifice 2000 is available
on our web site, and you can download it, you can inspect it, and you can make
modifications. All we ask is that you please submit those changes to us for
our own perusal, and you don't sell it. It's quite likely that somebody has
already taken BO2K source and written their own tools that haven't surfaced yet
in public. . . .
Do you see dangers in us being so wired and connected the way we are at the
COUNT: I think about that a lot. . . . I think a lot of the fear that's
happening is fundamentally because there are big misconceptions of what the
internet is all about. The internet is not a nicely packaged lined up row of
books in a library where everything's organized by the Dewey Decimal System and
everything is published by a handful of publishers that control all of it.
It's not something that's sanitized, categorized, shrink-wrapped and
freshness-dated on a shelf. The internet is a mirror of society. It truly is
something that reflects all of the elements in the physical world--the types
of people who use it, the types of things that are on it, what's being said,
and what you'll see and read. . . . People who are criminals are going to be
on there. There are going to be people on there where you just cannot
understand where they're coming from, and that'll scare some people. . . .
Society is complex, and it's often very messy. And I think people just have to
deal with that, roll up their sleeves, and jump in and just get involved and
try to fix things that are broken, and accept the fact that other people are
going to say that things you don't like a lot of times.
REID: The internet itself was constructed with this idea that we were all
going to be nice to each other. All of the standards and all of the protocols
assume, basically, that no one is going to lie or cheat or steal. It was
designed basically for the US government in planning a war, and then it was
co-opted by scientists to coordinate research. And there was really no effort
made early on to insulate that, or to protect against people who just are
outside the trust model, people who just want to go in and see what they can
do, and they just don't care. Unfortunately, it's hard to build on top of a
system like that and not retain some of those strengths and weaknesses. Those
protocols are very simple, they're fast, they're efficient. But they are wide
Nowadays, we are paying for the sins of our fathers in the same way that we had
the Y2K bug, which we spent years gearing up for--and thank God we did, because
it could have been awful. The general public is sick of hearing about Y2K, and
they assumed it was a big joke, but it never was. That could have been very
devastating. But those kinds of problems exist on the net in spades. If
somebody wanted to take down the internet, they could do it; they could still
do it. None of that has changed. . . .
How should the public view hackers like you? Are you demons, are you
crusaders, should we be embracing you, should we be attacking you?
REID: I think the first misconception that people have about hackers is that
it's a giant political party, or it's a voting bloc, or it's organized somehow.
And it's not. It's like asking what should people think about carpenters.
It's just a very loosely defined group of people. In fact, we can't even seem
to agree on a definition of hacker most of the time. . . .
COUNT: It implies curiosity, and looking at how you can use tools in different
ways and how you can think of new tools to extend people's abilities to do
things. But the best definition I heard of a hacker was just someone who . . .
if they saw something closed and it was doing something, they just wanted to
open it up to see how it was working, and then how to maybe play with it a
little bit to make it work a little better. . . . It's just a general loose
sort of mentality based on focusing on technology.
. . . I don't think the public should be afraid. I think hackers in general
are explorers. They're exploring new territory. And of course when you're
exploring territory, some people are going to cut down all the trees and screw
up the environment, and other people are going to catalogue all of the wildlife
and create very useful scientific resources. . . . The key thing that you'll
find probably at conferences like this is that hackers like to talk about what
they're finding. . . . So as long as people continue to engage with the
"hacker community," then we can all learn and move the whole society forward
and continue to expand the frontiers of the digital world. . . .
Do you have a sense that you are in a historical time, playing a historical
REID: I think we're all sitting in on a historical moment. The internet ranks
as one of the world's great inventions, like the wheel, or germ theory, or
anesthesia, or any of those things, and it has the power to transform the globe
in ways that are almost unprecedented. The United Nations just released a
report stating that, by the year 2004, no human being on the planet will be
more than half a day's journey from a physical connection to the internet. And
they specifically cited the case of somebody in the middle of the Sahara
Desert, who, by their estimates, ought to be a half a day's ride from an
internet terminal. . . .
COUNT: . . . Ultimately, the concept of going somewhere to get on the internet
will become sort of very quaint and old-fashioned, because everyone will be
online all the time, and everything will be online, communicating with other
things. We're a unique species in that we do two things really well--we
create language and we create tools. And now we're actually creating tools
that have their own language that can then communicate with other tools. As
everything becomes computerized, your refrigerator will tell your watch that
you need milk, so when you're in the car and you drive by a store. . . . It'll
tell your watch, which will then speak to you and say, "Why don't you go pick
up some milk." . . .
I'm very concerned that we make sure we get it right in terms of the security.
Because it's one thing if your computer blows up and crashes on your desktop
and you're like, "Well, I'll go get a cup of coffee while I reboot." It's
another thing if . . . ultimately, your entire life sort of crashes around
you--your refrigerator crashes, your car crashes, and a new implant in your
body crashes. How do you reboot that? . . . It's just going to become more
ubiquitous--this internet environment, this global digital network. And if we
don't get it right, it's just going to be a big mess, and that scares me a
home · who are hackers? · risks of the internet · who's responsible · how to be vigilant · interviews
discussion · video excerpts · synopsis · press · tapes · credits
FRONTLINE · wgbh · pbs online
some photos copyright ©2001 photodisc
web site copyright 1995-2014
WGBH educational foundation