Elite security posse fostered founders of WhatsApp, Napster

By Joseph Menn

SAN FRANCISCO (Reuters) - A few days after selling WhatsApp to Facebook for $19 billion, Jan Koum stepped into a suite at the St. Regis Hotel in San Francisco to celebrate with old friends, including CEOs, reformed hackers and a few people who fell into both those camps.

Conducted over snacks and beer, the late-night festivity was a spontaneous reunion of a security super-group that had come to Koum's aid in 2000 as he grappled with a denial-of-service attack that knocked Yahoo offline when Koum was responsible for security there.

The now defunct collective known as w00w00 (pronounced whoo whoo) had thrived on Internet Relay Chat channels in the late 1990s and early 2000s, between get-togethers at hacking conventions such as Def Con in Las Vegas, where a member said Koum "came across like a big, friendly kid."

Although the elite group was not well known outside hacking circles, its members have spawned more than a dozen companies, mainly in security. The two most famous exceptions are WhatsApp, the messaging service that Koum co-founded, and Napster, the pioneering file-sharing company that was shut down by the music industry in 2001.

The key to w00w00's success, according to interviews with a dozen members, was that it brought together people with widely varying expertise and backgrounds in a meritocratic way that would be tough to replicate in today's more complex and competitive world of security.

Koum was already a senior Yahoo Inc executive in his early 20s when he joined w00w00. Napster Co-founder Shawn Fanning was one of several members still in high school. Both came from poor backgrounds and benefited from the group's welcoming culture, which prized collaboration in the era before computer security became a big business, let alone a major factor in national defense and offense.

"Communication was democratized, and curiosity was rewarded," Koum told Reuters last week. "I had so much fun in early days learning about networking, security, scalability and other geeky stuff."

The w00w00 party at the St. Regis on February 26 came during the peak of the week-long RSA Conference across the street, the largest gathering of tech security professionals in the world. Some w00w00 veterans were attending the show to hawk software or services from their companies, while others were taking pains to avoid the marketing hype powered by a flood of new investment.

At the reunion, most of the crew ignored the cheese and dried fruit to catch up on old times and toast the man they regard as the first real w00w00 billionaire. The Ukraine-born Koum, who wore a gray T-shirt and black sweatshirt over his large frame, made $6.8 billion from the sale of WhatsApp to Facebook Inc , according to Forbes.

(Napster co-founder Sean Parker is also a billionaire, having gotten rich through owning early stock in Facebook, but he was too business-minded to spend much time in w00ww00.)

The gathering was also an occasion to reflect on why the security issues that the w00w00ers worked on 15 years ago were such excellent preparation for broader technology innovation, and why that might be less true now.

"You don't get cats and mice playing well together anymore, because the stakes have gotten so high and the net has become politicized," said Dug Song, who was a core w00w00 member. "W00w00 was the Switzerland of computer security."

TAKEN FOR GRANTED

In the 1990s, deep tech knowledge was needed to make things work. Now that infrastructure has been built out and cloud-computing resources can be rented cheaply from the likes of Amazon.com Inc , much more is taken for granted.

"Young kids have less interest in security these days," said Ejovi Nuwere, an orphan from Brooklyn who joined w00w00 before he signed on as a security engineer at Lehman Brothers and then went on to found multiple companies. "There's a lot more interest in starting the next Facebook than in reverse-engineering software."

Founded by Utah teenager Matt Conover, who chose the silly, exclamation-like name, w00w00 claimed about 30 core contributors at its peak, each of them invited by an existing member.

Several participants had wandered to the wrong side of the law in the past. At 15, Nuwere hacked into his local Internet service provider. When he called the company and explained how he did it, he was hired at minimum wage.

Another w00w00er, Anthony Zboralski, received a suspended sentence in 1997 for posing as a Paris FBI official and using the agency's network services - provided by AT&T - for free for four months.

Nuwere said the group adopted a "don't ask, don't tell" policy, though anyone who was obviously hacking for malicious reasons was shunned.

Most members of w00w00 were conducting research on their own, at small companies or ensconced in big ones like Koum.

"We had some really rich and interesting discussions about security topics," Conover recalled. "If someone had a good tool they wrote, they'd likely share it."

One of those tools was the Nmap Security Scanner, created by w00w00 member Gordon Lyon. Used by defenders and attackers alike, the program scans networks for open ports, available services and deployed software. Another tool was the member-developed password cracker, John the Ripper.

W00w00 members regularly spoke at the top security conventions. One of them, Jeff Forristal, under the handle "Rain Forest Puppy," published guidelines for responsibly disclosing flaws to software vendors before the general public.

Fanning used the w00w00 crowd as beta-testers for Napster. Another w00w00 contributor, Jordan Ritter, ended up heading the development of Napster's server software before he started anti-spam service Cloudmark and other companies.

Koum was already working long hours to build up Yahoo's infrastructure and automate its defenses. His big test came when a Canadian teenager launched massive denial-of-service attacks on Yahoo and others, briefly rendering most of them unreachable. Known as MafiaBoy, the teen said after his arrest that he had directed hundreds of compromised university computer networks to connect to Yahoo simultaneously, overwhelming its resources.

Having never met most of the w00w00 members in person, Koum nevertheless turned to them for help in a way that would be unthinkable for a top security executive today. One of those brainstorming with him was Song, who later became the founding architect of a major denial-of-service mitigation firm, Arbor Networks Inc.

ENTER THE SPIES

As most of the w00w00 membership took serious jobs, often at each other's companies, the security industry as a whole was splintering.

Conover and others ended up at big companies such as Symantec Corp . Some old-school hackers picked fights with several w00w00 members, arguing that information about security flaws should not be published.

Increasingly during the last decade, geopolitics entered into the picture. Spy agencies and military commanders realized the immense value of specialized software for breaking into and potentially disrupting enemy networks. Some hackers who were caught breaking the law said they were offered a choice between jail and government service.

The apolitical Conover said he did not like it when U.S. authorities questioned him about his associations after he returned from a conference in China.

Another w00w00 mainstay, Ralph Logan, became a consultant with both corporate and U.S. government security contracts, doling out work as a "hostel for homeless hackers."

Others sold research on how to exploit various software to brokers, who sold it to military contractors. This way of earning a living bothered some w00w00ers on a philosophical level because the information was not shared widely to help shore up cyber defenses.

"The people who understand vulnerabilities and how to exploit them are being co-opted into building offensive tools for national interests," Nuwere said. "These are issues that hackers have faced in other countries for a long time."

Koum is among many w00w00ers who have left the security business. Logan has a big-data startup, Kiku Software. Conover's latest project is a virtualization company called CloudVolumes. Ritter hired Nuwere for a non-security stealth startup called Ivy Softworks.

Though security was once a major breeding ground for important new companies, such departures suggest this might not be the case for long.

"The barriers for entry to learning about hacking in the old sense are such that it doesn't allow for as much free expression and open research," Logan said. "It's an unfortunate sign of maturity in the industry."

(Reporting by Joseph Menn; Editing by Tiffany Wu)

Loading...

Editor’s note:Yahoo Philippines encourages responsible comments that add dimension to the discussion. No bashing or hate speech, please. You can express your opinion without slamming others or making derogatory remarks.

  • Lupita Nyong'o's $150,000 Oscars dress stolen from hotel
    Lupita Nyong'o's $150,000 Oscars dress stolen from hotel

    The $150,000 pearl-studded, custom-made Calvin Klein dress worn by Oscar-winning actress Lupita Nyong'o at this year's Academy Awards has been stolen, police said on Thursday. The gown, embellished with 6,000 natural white pearls, was stolen from Nyong'o's room at the London Hotel in West Hollywood, during the day on Wednesday, a spokesman for the Los Angeles County Sheriff's Department in West Hollywood said. "Ms Nyong'o was not in the room at the time of the theft," Deputy John Mitchell …

  • National Geographic 'Afghan girl' in Pakistan papers probe
    National Geographic 'Afghan girl' in Pakistan papers probe

    Pakistani officials are investigating after the famous green-eyed "Afghan girl" immortalised in a 1985 National Geographic magazine cover was found living in the country on fraudulent identity papers. The haunting image of the then 12-year-old Sharbat Gula, taken in a refugee camp by photographer Steve McCurry, became the most famous cover image in the magazine's history. Now Pakistani officials say that Gula applied for a Pakistani identity card in the northwestern city of Peshawar in April …

  • South Korea decriminalises adultery, condom shares soar
    South Korea decriminalises adultery, condom shares soar

    South Korea's Constitutional Court on Thursday struck down a controversial adultery law which for more than 60 years had criminalised extra-marital sex and jailed violators for up to two years. The decision saw shares in the South Korean firm Unidus Corp., one of the world's largest condom manufacturers, soar by the daily limit of 15 percent on the local stock exchange. "Even if adultery should be condemned as immoral, state power should not intervene in individuals' private lives," said …

  • ‘Noy angered by previous SAF failures to get Marwan’
    ‘Noy angered by previous SAF failures to get Marwan’

    Supt. Raymund Train, who led the SAF team that killed Marwan in Mamasapano, Maguindanao on Jan. 25, recounted in a sworn statement the meeting he and senior SAF officers had with Aquino in Malacañang on Nov. 30. Train said among the senior officers who attended the meeting were then PNP chief Director General Alan Purisima, SAF chief Director Getulio Napeñas, SAF deputy commander Chief Supt. Noli Taliño and intelligence group chief Senior Supt. Fernando Mendez. …

  • U.S. flies most advanced surveillance plane from Philippines

    By Manuel Mogato MANILA (Reuters) - The United States has begun flying its most advanced surveillance aircraft, the P-8A Poseidon, out of the Philippines for patrols over the South China Sea, the U.S. Navy said on Thursday, acknowledging the flights for the first time. The United States, the Philippines' oldest and closest ally, has promised to share "real time" information on what is happening in Philippine waters as China steps up its activities in the South China Sea. China claims most of …

  • NYC, Orthodox Jews reach deal on circumcision suction ritual
    NYC, Orthodox Jews reach deal on circumcision suction ritual

    NEW YORK (AP) — The city said Tuesday it has reached a tentative agreement with members of the ultra-Orthodox Jewish community over a tradition known as oral suction circumcision. …

  • US-led strikes on IS after group seizes 220 Christians
    US-led strikes on IS after group seizes 220 Christians

    The US-led coalition has carried out air strikes against the Islamic State group in northeastern Syria, where the jihadists have launched a new offensive and kidnapped 220 Assyrian Christians. The raids on Thursday struck areas around the town of Tal Tamr in Hasakeh province, the Syrian Observatory for Human Rights said, without giving information on possible casualties. The town remains under the control of Kurdish forces, but at least 10 surrounding villages have been seized by IS, along …

  • Vatican seeks to quell Mexican anger over pope's drug remark
    Vatican seeks to quell Mexican anger over pope's drug remark

    VATICAN CITY (AP) — The Vatican sought Wednesday to defuse a diplomatic tiff with Mexico after Pope Francis referred to the possible "Mexicanization" of his native Argentina from drug trafficking, the latest instance of Francis' casual speaking style getting him into trouble. …

POLL

Should Aquino be held accountable over the Mamasapano operations?

Loading...
Poll Choice Options