Elite security posse fostered founders of WhatsApp, Napster

By Joseph Menn

SAN FRANCISCO (Reuters) - A few days after selling WhatsApp to Facebook for $19 billion, Jan Koum stepped into a suite at the St. Regis Hotel in San Francisco to celebrate with old friends, including CEOs, reformed hackers and a few people who fell into both those camps.

Conducted over snacks and beer, the late-night festivity was a spontaneous reunion of a security super-group that had come to Koum's aid in 2000 as he grappled with a denial-of-service attack that knocked Yahoo offline when Koum was responsible for security there.

The now defunct collective known as w00w00 (pronounced whoo whoo) had thrived on Internet Relay Chat channels in the late 1990s and early 2000s, between get-togethers at hacking conventions such as Def Con in Las Vegas, where a member said Koum "came across like a big, friendly kid."

Although the elite group was not well known outside hacking circles, its members have spawned more than a dozen companies, mainly in security. The two most famous exceptions are WhatsApp, the messaging service that Koum co-founded, and Napster, the pioneering file-sharing company that was shut down by the music industry in 2001.

The key to w00w00's success, according to interviews with a dozen members, was that it brought together people with widely varying expertise and backgrounds in a meritocratic way that would be tough to replicate in today's more complex and competitive world of security.

Koum was already a senior Yahoo Inc executive in his early 20s when he joined w00w00. Napster Co-founder Shawn Fanning was one of several members still in high school. Both came from poor backgrounds and benefited from the group's welcoming culture, which prized collaboration in the era before computer security became a big business, let alone a major factor in national defense and offense.

"Communication was democratized, and curiosity was rewarded," Koum told Reuters last week. "I had so much fun in early days learning about networking, security, scalability and other geeky stuff."

The w00w00 party at the St. Regis on February 26 came during the peak of the week-long RSA Conference across the street, the largest gathering of tech security professionals in the world. Some w00w00 veterans were attending the show to hawk software or services from their companies, while others were taking pains to avoid the marketing hype powered by a flood of new investment.

At the reunion, most of the crew ignored the cheese and dried fruit to catch up on old times and toast the man they regard as the first real w00w00 billionaire. The Ukraine-born Koum, who wore a gray T-shirt and black sweatshirt over his large frame, made $6.8 billion from the sale of WhatsApp to Facebook Inc , according to Forbes.

(Napster co-founder Sean Parker is also a billionaire, having gotten rich through owning early stock in Facebook, but he was too business-minded to spend much time in w00ww00.)

The gathering was also an occasion to reflect on why the security issues that the w00w00ers worked on 15 years ago were such excellent preparation for broader technology innovation, and why that might be less true now.

"You don't get cats and mice playing well together anymore, because the stakes have gotten so high and the net has become politicized," said Dug Song, who was a core w00w00 member. "W00w00 was the Switzerland of computer security."

TAKEN FOR GRANTED

In the 1990s, deep tech knowledge was needed to make things work. Now that infrastructure has been built out and cloud-computing resources can be rented cheaply from the likes of Amazon.com Inc , much more is taken for granted.

"Young kids have less interest in security these days," said Ejovi Nuwere, an orphan from Brooklyn who joined w00w00 before he signed on as a security engineer at Lehman Brothers and then went on to found multiple companies. "There's a lot more interest in starting the next Facebook than in reverse-engineering software."

Founded by Utah teenager Matt Conover, who chose the silly, exclamation-like name, w00w00 claimed about 30 core contributors at its peak, each of them invited by an existing member.

Several participants had wandered to the wrong side of the law in the past. At 15, Nuwere hacked into his local Internet service provider. When he called the company and explained how he did it, he was hired at minimum wage.

Another w00w00er, Anthony Zboralski, received a suspended sentence in 1997 for posing as a Paris FBI official and using the agency's network services - provided by AT&T - for free for four months.

Nuwere said the group adopted a "don't ask, don't tell" policy, though anyone who was obviously hacking for malicious reasons was shunned.

Most members of w00w00 were conducting research on their own, at small companies or ensconced in big ones like Koum.

"We had some really rich and interesting discussions about security topics," Conover recalled. "If someone had a good tool they wrote, they'd likely share it."

One of those tools was the Nmap Security Scanner, created by w00w00 member Gordon Lyon. Used by defenders and attackers alike, the program scans networks for open ports, available services and deployed software. Another tool was the member-developed password cracker, John the Ripper.

W00w00 members regularly spoke at the top security conventions. One of them, Jeff Forristal, under the handle "Rain Forest Puppy," published guidelines for responsibly disclosing flaws to software vendors before the general public.

Fanning used the w00w00 crowd as beta-testers for Napster. Another w00w00 contributor, Jordan Ritter, ended up heading the development of Napster's server software before he started anti-spam service Cloudmark and other companies.

Koum was already working long hours to build up Yahoo's infrastructure and automate its defenses. His big test came when a Canadian teenager launched massive denial-of-service attacks on Yahoo and others, briefly rendering most of them unreachable. Known as MafiaBoy, the teen said after his arrest that he had directed hundreds of compromised university computer networks to connect to Yahoo simultaneously, overwhelming its resources.

Having never met most of the w00w00 members in person, Koum nevertheless turned to them for help in a way that would be unthinkable for a top security executive today. One of those brainstorming with him was Song, who later became the founding architect of a major denial-of-service mitigation firm, Arbor Networks Inc.

ENTER THE SPIES

As most of the w00w00 membership took serious jobs, often at each other's companies, the security industry as a whole was splintering.

Conover and others ended up at big companies such as Symantec Corp . Some old-school hackers picked fights with several w00w00 members, arguing that information about security flaws should not be published.

Increasingly during the last decade, geopolitics entered into the picture. Spy agencies and military commanders realized the immense value of specialized software for breaking into and potentially disrupting enemy networks. Some hackers who were caught breaking the law said they were offered a choice between jail and government service.

The apolitical Conover said he did not like it when U.S. authorities questioned him about his associations after he returned from a conference in China.

Another w00w00 mainstay, Ralph Logan, became a consultant with both corporate and U.S. government security contracts, doling out work as a "hostel for homeless hackers."

Others sold research on how to exploit various software to brokers, who sold it to military contractors. This way of earning a living bothered some w00w00ers on a philosophical level because the information was not shared widely to help shore up cyber defenses.

"The people who understand vulnerabilities and how to exploit them are being co-opted into building offensive tools for national interests," Nuwere said. "These are issues that hackers have faced in other countries for a long time."

Koum is among many w00w00ers who have left the security business. Logan has a big-data startup, Kiku Software. Conover's latest project is a virtualization company called CloudVolumes. Ritter hired Nuwere for a non-security stealth startup called Ivy Softworks.

Though security was once a major breeding ground for important new companies, such departures suggest this might not be the case for long.

"The barriers for entry to learning about hacking in the old sense are such that it doesn't allow for as much free expression and open research," Logan said. "It's an unfortunate sign of maturity in the industry."

(Reporting by Joseph Menn; Editing by Tiffany Wu)

Loading...

Editor’s note:Yahoo Philippines encourages responsible comments that add dimension to the discussion. No bashing or hate speech, please. You can express your opinion without slamming others or making derogatory remarks.

  • Pacquiao a national symbol of hope in Philippines
    Pacquiao a national symbol of hope in Philippines

    Emmanuel "Manny" Pacquiao is idolised by tens of millions in the poverty-afflicted Philippines both for his punching power and as a national icon of hope after rising from the streets to the pinnacle of world boxing. Known to his countrymen in the Asian archipelago as "The National Fist", Pacman fights undefeated American Floyd Mayweather on May 2 to decide who is the world's best "pound-for-pound" boxer. To most of the Philippines' population of almost 100 million, Pacquiao, winner of an …

  • Indonesia's Jokowi to speak to attorney general about Philippines death row convict

    Indonesia President Joko Widodo will consult with the attorney general on legal issues surrounding the case of death row convict Mary Jane Veloso, the Philippines presidential spokesman said on Monday. The statement came after the Philippines President Benigno Aquino met Widodo at the ASEAN summit in Kuala Lumpur and appealed for "humanitarian consideration" in the case. Widodo was sympathetic and was consulting with the Indonesian attorney general on the legal issues, he said. …

  • Halt Indonesia drug executions until graft claims probed: Australia
    Halt Indonesia drug executions until graft claims probed: Australia

    Australia on Monday urged Indonesia to ensure all legal processes have been cleared of corruption before executing two of its nationals, as bribery allegations surfaced regarding their drug smuggling trial. Foreign Minister Julie Bishop spoke to her Indonesian counterpart Retno Marsudi on Sunday evening while Prime Minister Tony Abbott has written to President Joko Widodo to again plead for the executions to be halted. "Bali Nine" drug traffickers Myuran Sukumaran and Andrew Chan could face …

  • Pagasa: Drought may worsen
    Pagasa: Drought may worsen

    The drought in 12 already dry areas in the country is expected to worsen as the summer season peaks next month, the Philippine Atmospheric, Geophysical and Astronomical Services Administration (PAGASA) warned yesterday. In an advisory, PAGASA said the provinces of Albay, Bataan, Batangas, Biliran, Cavite, Cebu, Ilocos Norte, Leyte, Misamis Occidental, Pampanga, Zamboanga del Norte and Zamboanga del Sur will continue to receive “way below” or “below normal” rainfall in May. PAGASA defines …

  • Maximum restraint for Phl troops in West Phl Sea
    Maximum restraint for Phl troops in West Phl Sea

    The military has advised its pilots conducting surveillance in the West Philippine Sea to exercise maximum restraint even if they are being bullied by Chinese troops. Armed Forces spokesman Brig. Gen. Joselito Kakilala said all actions of the pilots should be consistent with the declaration of conduct signed by claimant countries. Armed Forces public affairs chief Lt. Col. Harold Cabunoc said the Philippines should remain on moral high ground when it comes to the territorial dispute. A …

  • MMDA simulates rescue march after quake, tsunami
    MMDA simulates rescue march after quake, tsunami

    The Metro Manila Development Authority (MMDA) yesterday led the annual rescue march from Quezon City to Manila, giving rescue volunteers a glimpse of possible scenarios if the metropolis is hit by a strong quake or is inundated by a tsunami. Cora Jimenez, MMDA general manager, said 700 volunteer rescuers walked from the Quezon City memorial circle to the Bonifacio monument in front of the Manila city hall to simulate a response-exercise to a magnitude 7.2 earthquake. Renato Solidum, …

  • Islamic State threatens Mindanao, Phl tells Asean
    Islamic State threatens Mindanao, Phl tells Asean

    Foreign Affairs Secretary Albert del Rosario bared yesterday before the Association of Southeast Asian Nations (ASEAN) reports of the Islamic State of Iraq and Syria (ISIS) threat to the Philippines through the Black Flag Movement in Mindanao. Speaking before ASEAN foreign ministers, Del Rosario said the ISIS threat to Philippine security is real rather than imagined because of the Black Flag Movement’s pledge of allegiance to ISIS leader Abu Bakr al-Baghdadi. …

  • ‘Chinese reclamation affecting Phl’s energy security bid’
    ‘Chinese reclamation affecting Phl’s energy security bid’

    China’s occupation and buildup of its military structures in the West Philippine Sea and South China Sea is causing the country’s top energy official to get the jitters as the encroachment is seen as a huge dent on the Philippines’ efforts to achieve energy security. “It is a concern but if we don’t bring it to the United Nations, where will we bring it? We cannot bang heads with them,” Energy Secretary Carlos Jericho Petilla told The STAR in an interview over the weekend. The US Energy …

POLL

Should Aquino be held accountable over the Mamasapano operations?

Loading...
Poll Choice Options