SAN FRANCISCO (Reuters) - A few days after selling WhatsApp to Facebook for $19 billion, Jan Koum stepped into a suite at the St. Regis Hotel in San Francisco to celebrate with old friends, including CEOs, reformed hackers and a few people who fell into both those camps.
Conducted over snacks and beer, the late-night festivity was a spontaneous reunion of a security super-group that had come to Koum’s aid in 2000 as he grappled with a denial-of-service attack that knocked Yahoo offline when Koum was responsible for security there.
The now defunct collective known as w00w00 (pronounced whoo whoo) had thrived on Internet Relay Chat channels in the late 1990s and early 2000s, between get-togethers at hacking conventions such as Def Con in Las Vegas, where a member said Koum “came across like a big, friendly kid.”
Although the elite group was not well known outside hacking circles, its members have spawned more than a dozen companies, mainly in security. The two most famous exceptions are WhatsApp, the messaging service that Koum co-founded, and Napster, the pioneering file-sharing company that was shut down by the music industry in 2001.
The key to w00w00’s success, according to interviews with a dozen members, was that it brought together people with widely varying expertise and backgrounds in a meritocratic way that would be tough to replicate in today’s more complex and competitive world of security.
Koum was already a senior Yahoo Inc executive in his early 20s when he joined w00w00. Napster Co-founder Shawn Fanning was one of several members still in high school. Both came from poor backgrounds and benefited from the group’s welcoming culture, which prized collaboration in the era before computer security became a big business, let alone a major factor in national defense and offense.
“Communication was democratized, and curiosity was rewarded,” Koum told Reuters last week. “I had so much fun in early days learning about networking, security, scalability and other geeky stuff.”
The w00w00 party at the St. Regis on February 26 came during the peak of the week-long RSA Conference across the street, the largest gathering of tech security professionals in the world. Some w00w00 veterans were attending the show to hawk software or services from their companies, while others were taking pains to avoid the marketing hype powered by a flood of new investment.
At the reunion, most of the crew ignored the cheese and dried fruit to catch up on old times and toast the man they regard as the first real w00w00 billionaire. The Ukraine-born Koum, who wore a gray T-shirt and black sweatshirt over his large frame, made $6.8 billion from the sale of WhatsApp to Facebook Inc, according to Forbes.
(Napster co-founder Sean Parker is also a billionaire, having gotten rich through owning early stock in Facebook, but he was too business-minded to spend much time in w00ww00.)
The gathering was also an occasion to reflect on why the security issues that the w00w00ers worked on 15 years ago were such excellent preparation for broader technology innovation, and why that might be less true now.
“You don’t get cats and mice playing well together anymore, because the stakes have gotten so high and the net has become politicized,” said Dug Song, who was a core w00w00 member. “W00w00 was the Switzerland of computer security.”
In the 1990s, deep tech knowledge was needed to make things work. Now that infrastructure has been built out and cloud-computing resources can be rented cheaply from the likes of Amazon.com Inc, much more is taken for granted.
“Young kids have less interest in security these days,” said Ejovi Nuwere, an orphan from Brooklyn who joined w00w00 before he signed on as a security engineer at Lehman Brothers and then went on to found multiple companies. “There’s a lot more interest in starting the next Facebook than in reverse-engineering software.”
Founded by Utah teenager Matt Conover, who chose the silly, exclamation-like name, w00w00 claimed about 30 core contributors at its peak, each of them invited by an existing member.
Several participants had wandered to the wrong side of the law in the past. At 15, Nuwere hacked into his local Internet service provider. When he called the company and explained how he did it, he was hired at minimum wage.
Another w00w00er, Anthony Zboralski, received a suspended sentence in 1997 for posing as a Paris FBI official and using the agency’s network services - provided by AT&T - for free for four months.
The sentence was later expunged, and Zboralski went on to handle major security projects for the Indonesian government and others.
Nuwere said the group adopted a “don’t ask, don’t tell” policy, though anyone who was obviously hacking for malicious reasons was shunned.
Most members of w00w00 were conducting research on their own, at small companies or ensconced in big ones like Koum.
“We had some really rich and interesting discussions about security topics,” Conover recalled. “If someone had a good tool they wrote, they’d likely share it.”
One of those tools was the Nmap Security Scanner, created by w00w00 member Gordon Lyon. Used by defenders and attackers alike, the program scans networks for open ports, available services and deployed software. Another tool was the member-developed password cracker, John the Ripper.
W00w00 members regularly spoke at the top security conventions. One of them, Jeff Forristal, under the handle “Rain Forest Puppy,” published guidelines for responsibly disclosing flaws to software vendors before the general public.
Fanning used the w00w00 crowd as beta-testers for Napster. Another w00w00 contributor, Jordan Ritter, ended up heading the development of Napster’s server software before he started anti-spam service Cloudmark and other companies.
Koum was already working long hours to build up Yahoo’s infrastructure and automate its defenses. His big test came when a Canadian teenager launched massive denial-of-service attacks on Yahoo and others, briefly rendering most of them unreachable. Known as MafiaBoy, the teen said after his arrest that he had directed hundreds of compromised university computer networks to connect to Yahoo simultaneously, overwhelming its resources.
Having never met most of the w00w00 members in person, Koum nevertheless turned to them for help in a way that would be unthinkable for a top security executive today. One of those brainstorming with him was Song, who later became the founding architect of a major denial-of-service mitigation firm, Arbor Networks Inc.
As most of the w00w00 membership took serious jobs, often at each other’s companies, the security industry as a whole was splintering.
Conover and others ended up at big companies such as Symantec Corp. Some old-school hackers picked fights with several w00w00 members, arguing that information about security flaws should not be published.
Increasingly during the last decade, geopolitics entered into the picture. Spy agencies and military commanders realized the immense value of specialized software for breaking into and potentially disrupting enemy networks. Some hackers who were caught breaking the law said they were offered a choice between jail and government service.
The apolitical Conover said he did not like it when U.S. authorities questioned him about his associations after he returned from a conference in China.
Another w00w00 mainstay, Ralph Logan, became a consultant with both corporate and U.S. government security contracts, doling out work as a “hostel for homeless hackers.”
Others sold research on how to exploit various software to brokers, who sold it to military contractors. This way of earning a living bothered some w00w00ers on a philosophical level because the information was not shared widely to help shore up cyber defenses.
“The people who understand vulnerabilities and how to exploit them are being co-opted into building offensive tools for national interests,” Nuwere said. “These are issues that hackers have faced in other countries for a long time.”
Koum is among many w00w00ers who have left the security business. Logan has a big-data startup, Kiku Software. Conover’s latest project is a virtualization company called CloudVolumes. Ritter hired Nuwere for a non-security stealth startup called Ivy Softworks.
Though security was once a major breeding ground for important new companies, such departures suggest this might not be the case for long.
“The barriers for entry to learning about hacking in the old sense are such that it doesn’t allow for as much free expression and open research,” Logan said. “It’s an unfortunate sign of maturity in the industry.”
Reporting by Joseph Menn; Editing by Tiffany Wu