Reid and Count Zero (pictured) are members of the Cult of the Dead Cow, a hacker organization which developed "Back Orifice," a computer program which allows the user to remotely view and control any computer running Windows 95 or later. They say they developed the program to demonstrate the weak security in Microsoft products.

REID: For us, the motivation for releasing Back Orifice was that Microsoft has the world's most popular operating systems installed on 90 percent of the computers in the world, or at least the desktop computers. And those people are being encouraged, urged, to take those computers and plug them into the internet. Unfortunately those people are wide open to attack of various kinds. We thought we would be serving the community best by demonstrating that we could easily write a tool that would take advantage of that, and proof for the ability to do that.

For the layperson who's never heard of it before, what would it allow someone to do?

REID: Back Orifice is a program that comes in two parts. It allows someone sitting at one computer to control everything going on at a computer at the other side of the internet. So you can be sitting at a local machine and you could see what's happening on a remote machine that maybe you've never actually been to. As long as they've got the Back Orifice server installed, your client machine can see what's on their desktop. They can take out the mouse, take over the keyboard, and watch what's happening on the keyboard. You could upload files to that computer, and download files from that computer. You have what's known in the community as a "root kit." Essentially, you have control over that machine as if you were there. In fact, you have more control over that machine than the person sitting at the keyboard does, because we expose more power through the Back Orifice tool than Windows 98 Desktop does.

What did you hope to achieve by putting it out?

REID: Ultimately, we were trying to get Microsoft to admit that they were encouraging people to join this global community with a completely insecure product, and then hopefully people will not store their credit card numbers on their hard drives. They would not keep their diary there. They wouldn't conduct business with this computer. Or, even more optimistically, we were hoping that maybe they would implement a strong security model in Windows. Neither of these things actually happened, so it's a failure on that count. But those were pretty high goals, I think.

What was Microsoft's response?

REID: Originally, Microsoft's response was that Back Orifice was not an issue, that it was something that no one should pay attention to. And then two or three days later, they changed their tune, and suddenly Back Orifice was a malicious tool designed to do nothing but wreak havoc. And then, less than a week after that, their response was that Back Orifice is a tool that does not expose any security holes in Microsoft Windows and should be considered a safe and innocuous administration tool in the hands of a professional.

So everyone in the world who is using Microsoft at the moment is vulnerable to Back Orifice, as we speak?

REID: Yes, either Back Orifice or Back Orifice 2000. They're capable of running on Windows 95/98, [NT] and Windows 2000 machines. That's basically everybody. . . .

COUNT: . . . People are saying, "Oh, there are going to be a lot of people who are just. . . really mad at CDC for doing this," because their computers could potentially be abused because of these vulnerabilities. Our take on this was, "Well, they should be really mad at companies like Microsoft, who create these environments that are just so unstable." We take it for granted now that computers will crash several times a day. We take it for granted that you have to be afraid when you get an email attachment; you have to figure out where it came from. "Is it worth it to open this spreadsheet where I might blow up my computer?" We've developed a kind of culture of a passive, beat-down fear. . . . If you got in your automobile and every day it would stall several times, and every once in a while it would just sort of randomly explode into flames and destroy all of your personal belongings, like when your computer crashes and you lose your files, you would be really mad, and furious at the car manufacturer. . .

I think it's a real travesty that we see . . . these insecure environments as the way it has to be, because, "Heck, it's always been that way." The people who are calling the shots in terms of building it are just building them their way, and they don't care. . . .

REID: It's more than just Microsoft producing what amounts to almost a negligent security model in their operating system. It's also the fact that they're marketing it specifically to end users who want to go on the internet, people who may have bought their first computer ever. Those people are not computer security experts. They don't know what's out there.

So it's like building a really cheap car and saying, "Now, drive this on these really rocky roads," deliberately putting them in an environment where you know that what they have designed is so inadequate for that environment, and marketing it to student drivers. . . .

It seems patently obvious to the layman that if you point out this fundamental flaw, it will be fixed. Why isn't it fixed? Why don't they fix it? . . .

COUNT: They won't change something unless the people demand it. That's the trick. And people are not demanding the security. . . .

REID: Although, in all fairness, we should point out that the beast on Microsoft's back here is the fact that they need to be backwards-compatible with previous versions of Windows operating system, which themselves were insecure. So there may be legitimate technical hurdles for them to overcome in order for a new version of Windows to have, in our eyes, nice security. But then again, what kind of software company do you think could take on a challenge like that, if not Microsoft? Do you think anyone other than the world's largest software company could pull that off? And if they can't, then we're all in trouble.

It's already happening. The open source movement is a kind of response to that, where if the companies aren't doing it, then heck, all of these millions of programmers around the world will do it. Apache is the most popular web server software because . . . all the people who were building it were the people who were going to be using it. And they . . . solved that problem. Models will be built in there, because it will have truly been something designed by technical people, who created security models from the very beginning as part of the product. . . .

Back Orifice could now be used by the state to run surveillance on any computer it wants?

REID: Absolutely. In fact, there have been various press releases by different federal and state agencies, talking about how they've in fact hired companies to write tools. Or there have also been news stories about clandestine operations to write software, or companies putting out press releases, stating that they've been hired by unnamed government agencies to write software to do small subsets of Back Orifice's functionality.

I think even slightly more interesting is the possibility that somebody took our open source code for Back Orifice 2000 and tailored it for their own purposes and never told us. The entire code for Back Orifice 2000 is available on our web site, and you can download it, you can inspect it, and you can make modifications. All we ask is that you please submit those changes to us for our own perusal, and you don't sell it. It's quite likely that somebody has already taken BO2K source and written their own tools that haven't surfaced yet in public. . . .

Do you see dangers in us being so wired and connected the way we are at the moment?

COUNT: I think about that a lot. . . . I think a lot of the fear that's happening is fundamentally because there are big misconceptions of what the internet is all about. The internet is not a nicely packaged lined up row of books in a library where everything's organized by the Dewey Decimal System and everything is published by a handful of publishers that control all of it. It's not something that's sanitized, categorized, shrink-wrapped and freshness-dated on a shelf. The internet is a mirror of society. It truly is something that reflects all of the elements in the physical world--the types of people who use it, the types of things that are on it, what's being said, and what you'll see and read. . . . People who are criminals are going to be on there. There are going to be people on there where you just cannot understand where they're coming from, and that'll scare some people. . . .

Society is complex, and it's often very messy. And I think people just have to deal with that, roll up their sleeves, and jump in and just get involved and try to fix things that are broken, and accept the fact that other people are going to say that things you don't like a lot of times.

REID: The internet itself was constructed with this idea that we were all going to be nice to each other. All of the standards and all of the protocols assume, basically, that no one is going to lie or cheat or steal. It was designed basically for the US government in planning a war, and then it was co-opted by scientists to coordinate research. And there was really no effort made early on to insulate that, or to protect against people who just are outside the trust model, people who just want to go in and see what they can do, and they just don't care. Unfortunately, it's hard to build on top of a system like that and not retain some of those strengths and weaknesses. Those protocols are very simple, they're fast, they're efficient. But they are wide open.

Nowadays, we are paying for the sins of our fathers in the same way that we had the Y2K bug, which we spent years gearing up for--and thank God we did, because it could have been awful. The general public is sick of hearing about Y2K, and they assumed it was a big joke, but it never was. That could have been very devastating. But those kinds of problems exist on the net in spades. If somebody wanted to take down the internet, they could do it; they could still do it. None of that has changed. . . .

How should the public view hackers like you? Are you demons, are you crusaders, should we be embracing you, should we be attacking you?

REID: I think the first misconception that people have about hackers is that it's a giant political party, or it's a voting bloc, or it's organized somehow. And it's not. It's like asking what should people think about carpenters. It's just a very loosely defined group of people. In fact, we can't even seem to agree on a definition of hacker most of the time. . . .

COUNT: It implies curiosity, and looking at how you can use tools in different ways and how you can think of new tools to extend people's abilities to do things. But the best definition I heard of a hacker was just someone who . . . if they saw something closed and it was doing something, they just wanted to open it up to see how it was working, and then how to maybe play with it a little bit to make it work a little better. . . . It's just a general loose sort of mentality based on focusing on technology.

. . . I don't think the public should be afraid. I think hackers in general are explorers. They're exploring new territory. And of course when you're exploring territory, some people are going to cut down all the trees and screw up the environment, and other people are going to catalogue all of the wildlife and create very useful scientific resources. . . . The key thing that you'll find probably at conferences like this is that hackers like to talk about what they're finding. . . . So as long as people continue to engage with the "hacker community," then we can all learn and move the whole society forward and continue to expand the frontiers of the digital world. . . .

Do you have a sense that you are in a historical time, playing a historical role?

REID: I think we're all sitting in on a historical moment. The internet ranks as one of the world's great inventions, like the wheel, or germ theory, or anesthesia, or any of those things, and it has the power to transform the globe in ways that are almost unprecedented. The United Nations just released a report stating that, by the year 2004, no human being on the planet will be more than half a day's journey from a physical connection to the internet. And they specifically cited the case of somebody in the middle of the Sahara Desert, who, by their estimates, ought to be a half a day's ride from an internet terminal. . . .

COUNT: . . . Ultimately, the concept of going somewhere to get on the internet will become sort of very quaint and old-fashioned, because everyone will be online all the time, and everything will be online, communicating with other things. We're a unique species in that we do two things really well--we create language and we create tools. And now we're actually creating tools that have their own language that can then communicate with other tools. As everything becomes computerized, your refrigerator will tell your watch that you need milk, so when you're in the car and you drive by a store. . . . It'll tell your watch, which will then speak to you and say, "Why don't you go pick up some milk." . . .

I'm very concerned that we make sure we get it right in terms of the security. Because it's one thing if your computer blows up and crashes on your desktop and you're like, "Well, I'll go get a cup of coffee while I reboot." It's another thing if . . . ultimately, your entire life sort of crashes around you--your refrigerator crashes, your car crashes, and a new implant in your body crashes. How do you reboot that? . . . It's just going to become more ubiquitous--this internet environment, this global digital network. And if we don't get it right, it's just going to be a big mess, and that scares me a little.