How a high schooler hacked into a security company and ended up with a job

Key Points
  • Dug Song, who has been a member of top hacker group W00W00, set up a fake "honeypot" to lure potential talented hackers
  • Jon Oberheide, who was just 17 at the time, managed to break in
  • Eventually the two founded Duo Security, which counts Facebook, Etsy, Yelp, and Twitter as its clients
Dug Song, left, and Jon Oberheide of Duo Security
Source: Duo Security

When internet security specialist Dug Song found out the company he worked for got hacked by a 17-year-old high school student, he didn't alert the authorities.

Instead, he hired him.

Song and highschooler-turned-hacker Jon Oberheide eventually co-founded an information security company called Duo Security in 2010, based in Ann Arbor, MI. The company now counts Facebook, Etsy, Yelp, and Twitter among its clients, and Benchmark, Google Ventures, Radar Partners, Redbpoint Ventures and True Ventures as investors.

"Some of the best hackers don't come with credentials or an Internet degree," Song said. "A lot of this is driven by curiosity and a longing to learn more about systems."

Song had been a member of top hacker group W00W00, which counts the creator of WhatsApp and co-founder of Napster as members. It hacks not out of malice, but to test the security of networks, and calls itself "the largest nonprofit security team in the world."

As a result of that membership, Song was tapped as a security expert, at one point becoming the chief security architect at Arbor Networks. To test if the company's protocols were secure, Song added a fake company inside its system. The "honeypot" was intended to lure hackers to see if they could break in.

"It was like a burglar alarm accessible through the wireless network," said Song. "We wanted it to be interesting enough so it could be our canary in the coal mine."

Meanwhile, Oberheide was a high school student who started a web hosting business with some friends. To get prospective clients, they would "scrape" the internet for email addresses.

"We would send them promotional materials," Oberheide said. "Okay, it was spam."

One of the places that Oberheide used to work was the Starbucks located under Arbor Networks' offices. He would often hack the unsecure wireless networks just to see if he could. While people enjoyed their coffee and surfed the internet, Oberheide could see their conversations and passwords on his screen.

"We weren't looking to do anything malicious," he said. "That's how most hackers are. They're curious about the networks around them."

When he saw the fake Arbor Network company, he took it as a challenge and broke in. But instead of being upset, Song was impressed. Although Oberheide was only 17, he didn't let the fact that he was thwarted by a teen phase him. During the first meet up at an annual DefCon conference, Song discovered that the main organizer of the group was a 15-year-old Mormon kid from Salt Lake City.

"Nothing phases me anymore," he said laughing.

Security engineering isn't like traditional engineering in that people have to consider what other people are not thinking about, he added.

"That kind of divergent thinking is exemplified by the hacker mindset," he said.