Few things bring me more joy than this ongoing Rising Tides column, because I get to dig into the minds and experiences of some of the most fascinating people in our industry. What makes these people even more exceptional, at least to me, is how they go beyond the norm of a “day job” and use their efforts to create technology or frameworks that watch out for the human.
The latest installment features Christien “DilDog” Rioux, architect of Veilid and President of the Veilid Foundation—and about 100 other acts of awesome in cybersecurity. Given his skillset (he spent the first 15 years of his programming experience on game engine development), he says if he didn’t get into security, he might’ve written video games for a living. Aren’t we lucky he didn’t?
Chris has been a driving force in the security industry and hacker community for decades, and if you work in cyber and don’t know of him, this is a good time to educate yourself as he might be a big part of why you get to do what you do. From his deep roots in L0pht and @stake and Cult of the Dead Cow (cDc), to building game-changing security code and technology, to co-founding Veracode, to now creating Veilid to make privacy accessible to everyone– an important “human rights issue,” Chris is what I consider to be unstoppable.
Without further ado…
Q. You have had more than one significant impact over the last couple decades in the industry. For those who don’t know you, how’d it start, how did it go, how did you get to where you are today?
A. Here’s a few highlights of things that I’ve done:
- A bunch of security advisories with L0pht and @stake, many were before the CVE existed, so you’d need to go back to the BugTraq mailing list archives to find them now. Focused on breaking Microsoft Windows, which at the time was deemed by my peers to be the “least cool” thing I could have been hacking. Shout-out to #!r00t for making sure I knew that Unix systems were way cooler.
- One of the 20 founders of @stake, the first “pure-play security services consulting company” that openly “hired hackers.” I say this jokingly but, in my experience, anyone having to do with @stake back in the day claims to be a founder of the thing—so whatever you gotta do to pad your resume folks.
- Primary author of L0phtCrack. I did not invent it, but wrote most of the code you’d recognize. Took the software from a proof-of-concept to a commercially viable product that shipped for 20 years before I felt it wasn’t worth my time to continue supporting it.
- Author of Back Orifice 2000, a “remote administration tool” that shined some light on Microsoft’s lack of security features at the time. It was a quick follow-up to the original Back Orifice, but shut down some frequent market manipulation in the media suggesting that users were safe from “malicious software” when they, in fact, were not.
- Co-founder of Veracode, having built what could have turned into a publicly available software decompiler. We built this big crazy thing that modeled programs and could find bugs in binaries automatically. Which was pretty cool, and I’m proud of it but the whole “being a founder of a venture capital-backed startup” thing turned out to be a big load of PTSD and I’ll probably never do any of that again.
- Inventor of Veilid, and President of the Veilid Foundation.
Q. Most have heard of Veilid by now but, for those who haven’t, please explain what it is and more importantly, why it is.
A. Privacy has a huge accessibility problem. You shouldn’t have to be a big cryptography or computer expert to have access to privacy-preserving applications. People have given up their data to big companies because it has become acceptable to “be the product” when something you are using is “free.” You shouldn’t have to install a proxy or rely on a shady “VPN” service, or be on the “dark web” to have privacy online.
The existing app ecosystem relies on centralization and therefore presents developers with a choice: find a way to monetize your “free” users to pay your cloud bills, or go out of business.
Veilid is an open-source peer-to-peer mobile-first networked application framework. Veilid helps break the dependence on big centralized clouds, helping people build privacy-enabled apps, mobile, desktop, and web, that run with no extra configuration or advanced technical knowledge. It also presents developers a way to make applications that preserve user privacy, avoiding the collection of user data they do not want the responsibility of handling, and making many kinds of networked applications free to run.
Q. Why is this project specifically important to you?
A. I believe that the erosion of privacy on the Internet is detrimental to personal freedom, and that dependence on corporate systems is always going to place profit over people. Veilid is being built to give developers and users another choice, without needing to pay all these middle-men for the right to use the Internet. I see this as a human rights issue.
Q. What is your dream and vision of how Veilid will impact the world as it grows?
A. I would like Veilid applications to build the “cloud” out of everyone’s computers, not just the computers owned by billionaires. You’ve got a supercomputer in your pocket that you probably spent $500-$1,000 for. You already bought into the vision, it just needs the right apps. We can have millions of devices all running Veilid as part of their apps someday. You won’t even know it’s there, but your apps will be cheaper and your data safer.
Q. You were a prominent leader in L0pht and now in cDc, the latter where Veilid originated. With so much obsession with hacker culture, how would you compare each group, then and now?
A. L0pht was kind of like “midnight basketball” for hackers. Got us kids off the street and gave us a playground where we could explore systems legally. We had a lot of fun trash-picked computers and built one of the first “hacker spaces” because we all wanted to learn from each other and do cool things. It was fun.
Cult Of The Dead Cow is a group of hackers, artists, and mysterious underground influencers from around the world. We were built out of a connected group of bulletin board systems in the 80s and 90s, but have grown over the years to a wide Internet and public media presence. We’re politically-minded and decentralized as a group.
The cDc and L0pht did have a bunch of members in common and had a lot of related efforts. Back Orifice 2000 was a collaboration between the two groups.
L0pht advertised itself as “gray hat” which at the time was an important distinction. There’s many motivations to be in security today, but at the time you either were breaking the law or wearing a suit as an infosec professional, with not as much wiggle room in the middle. L0pht really helped legitimize the hacker->infosec career pipeline, which I’m not confident was a good thing, but here we are. I do feel it was inevitable, though.
L0pht was a time and a place. It was people, publications, and products. Cult of the Dead Cow is forever. It’s a philosophy, an idea, a style.
Q: Where did you get the name “DilDog”?
A. DilDog was the original name of the “Dogbert” character from the “Dilbert” comic strip. I picked it because it sounded ridiculous and all the other hackers at the time were picking off “cool” handles that sounded egotistical to me. So it was a bit of a troll to the hacker scene.
Q. How did you get started in hacking and cyber?
A. I had been programming since my father brought home an Apple ][+ computer when I was 5, and he taught me some BASIC and I picked up some assembly language after that. I lived in rural Maine in my youth, so the only way I was finding other like-minded people was over BBSs. Did a bunch of wardialing back then, and got onto some college Unix systems. I first encountered cDc text files that way, and got involved with software cracking when I first got on the Internet in 1993. Starting writing exploits in 1994 when I got to college in Boston, and publishing them in 1996, after which I decided to look up the local 2600 meeting and go find some people that would understand what I was doing.
Q. How do you see cDc helping with highlighting and giving opportunities to learn to either those new to or perhaps the under-represented in cyber?
A. cDc does a lot of outreach. We’re always trying to get involved with under-represented communities in hacking because we know that necessity has made more great hackers and inventors than those gifted with an easy life. Genius is evenly distributed, but opportunity is not. Sometimes, hacking isn’t about computers. It’s about solving problems in a different way when your life throws boulders in your path.
Q. Tell me a little about your hobbies and you can’t say “code.”
A. I love to make music, been playing the piano as long as I have been coding. I love to do illustration, drawing, and mixed medium artwork as well. I help make merchandise and designs for HACK.XXX, my clothing store for cynical hacker people. I enjoy woodworking and metalworking, and make jewelry and electronics. In short, I’m a “maker.”
Q. What is one lesson you learned the hard way you’d love for younger cyber technologists to learn from now in order to help with their journey?
A. Always have a side project. Do your job, and if it’s infosec, make sure that you don’t just “hack for work.” You’ll lose your flame. If you make your hobby your job, you won’t enjoy it like you used to. Work/life balance in infosec is absolutely important, and burnout is inevitable if you don’t take care of yourself. My wife [Dr. Stacy Thayer] is building a consulting business around helping people with this because it’s a huge problem. Don’t burn out, folks.
Q. There’s a lot of talk about “solving” the security problem. Is that possible through your lens?
A. No, I don’t think anyone will be “solving” security any time soon. I think we can make exploitation of software harder though, but it’s not going to be point fixes on commercial software bugs that do it, in the end. We need seismic shifts like the popularization of type-safe and memory-safe languages like Rust, and privacy-by-default software frameworks like Veilid. Nothing will ever be 100% “secure” because people will make mistakes. But I think we can do a much better job for people if we stop exploiting them for profit and putting them at risk to make a buck. That’s on us to fix.
