THE HACKER CODE: DON’T LISTEN TO THE EXPERTS

DECIBEL_JOHN_O_r2 (1).jpg


So the first time I ever met my Duo co-founder Dug, I was trying to hack into his network.

Well, I guess we didn’t “meet” technically. But you’ll see what I mean in a bit.

I grew up in Troy, Michigan and before I consider myself anything else, I was a hacker. That was true from the very first time I ever wrote a program by copying it from a book while I was in middle school. It was a super basic program (literally BASIC) animating an apple falling out of a tree. I found out if I manipulated a few inputs to the program, I could make the apple drop faster and the speaker beep higher pitched. I didn’t realize it at the time, but my first programming experience was testing boundary- and malformed-inputs, a fundamental approach to breaking in to systems. And pretty much after that I was hooked.

In high school, me and a friend of mine started a web hosting company called FocalHost. We also happened to open a shadow web hosting company called JesusHost, which became one of the most popular Christian hosting companies on the web. It’s worth mentioning that I'm atheist and my partner was Jewish. But still, we found a creative niche in the market and ran with it, which is basically what being an entrepreneur is all about.

...my desire to create something new overpowered any fear of failure.


To promote our business, we engaged in some “innovative” online marketing, which in the late 90s meant sending a ton of email. Usually we would camp at a coffee shop on State Street in downtown Ann Arbor, and connect to some open Wi-Fi before sipping our coffee and pressing send on our email campaigns.

While we were there we would usually poke around on different wireless networks to see what we might find. One day we were in a Starbucks, snooping around different networks when we stumbled upon the surprisingly-open Wi-Fi of Arbor Networks, a local security startup. For us, that was basically the jackpot.

This was back when MafiaBoy was taking huge websites like Yahoo, CNN and AOL.com offline for hours and days at a time. The internet was still like the wild west in so many ways and websites couldn’t even stay online against relatively-unsophisticated attacks. That was the problem that Arbor Networks, which specialized in DDoS protection, sought out to solve in the early days of the internet.

So of course, knowing that, when their Wi-Fi name popped up, we immediately wanted to poke around and see if there were any systems that we could take a look at. Arbor happened to be on the third floor of the building we were in, so our signal wasn’t great. As a result, we had to go stealth. (That’s a cooler way of saying we crept up the back stairwell and hunched over our laptops in our oversized hoodies right outside the backdoor of Arbor’s office.)

As it would turn out, Dug happened to walk out the back door while we were there. He saw us in the hallway, two high schoolers who basically looked like caricatures of every hacker stereotype imaginable. Both of us froze, thinking we were busted, but Dug just gave us this really sideways look and then... he just kept walking. I think I let out the largest exhale of my life once he was gone.

That, of all ways, was how Dug and I first met.

And almost exactly ten years later, we started a company together.

And… that was it. There was no bigger plan. It was “Let's go do this. Let's go build a great security company and... we'll figure out what that actually means as we go?”

I’ll clarify that Dug and I officially met at the University of Michigan a few years later. We hit it off pretty quickly.

We worked together on various open-source projects and also, somewhat ironically, I ended up becoming a coworker of his at Arbor.

One funny side note is that when I brought it up to him how we first crossed paths, he actually remembered the entire encounter. An even funnier side note is that he told me that the network we were trying to hack into wasn’t even real. It was a honeypot he’d set up to catch “enterprising individuals” (aka idiots) like me.

I still laugh about that.

Beyond our previous run in and our mutual interest in computer science, one big thing Dug and I had in common was that we both specialized in the offensive side of security. We knew how to break into systems, find vulnerabilities and write exploits. That’s to say, we both viewed security through a similar, somewhat specific lens.

Not long after we started working together, it stopped becoming a question of if Dug and I would start a security company together one day, but when.

We wanted to make a dent in the universe. If we were going to dedicate ourselves to this thing completely, it needed to make an impact in some way.

After graduating from college, I knew for certain that I didn't want to go off into a 9-to-5 job. The only actual job I ever had was at Quiznos when I was in high school. Looking back, I’m grateful for that experience. It ended up helping out quite a bit down the line. Basically, if you want to learn everything you need to know about serving customers and empathy, take a job in the food service industry. So although I definitely did value that experience, I wasn’t exactly gungho about jumping into the workforce.

I was fortunate to always know from an early age that I wanted to work in cybersecurity and had the entrepreneurial spirit, so it was really about finding the right time to jump in and go for it. In the meantime, I decided to enroll in the PhD program at the University of Michigan so I could continue doing security research. While I wouldn’t recommend a PhD for most people, our small research group, led by Farnam Jahanian, was more of a startup incubator than a faculty factory, spinning out successful startups like Arbor Networks and Twilio.

I made it about 99 percent of the way through my PhD program at UM. I was ABD, “All But Dissertation”, which means I did all the work and just needed to defend my thesis (which I later did do in 2012). But then, opportunity came calling. It just so happened that Dug was also in a position to start something new. The stars had finally aligned for us to go build something together. So we basically just rolled up our sleeves and said,  "Hey, let's go build the next great security company."

And… that was it. There was no bigger plan. We didn’t know what problem we wanted to solve or what product we wanted to build. It was “Let's go do this. Let's build a great security company and... we'll do it the Right Way?”



The biggest thing Dug and I were aligned on was that we didn’t just want to build a good product or even just a successful business. We wanted to make a dent in the universe, a motto of the early hacking collective L0pht. If we were going to dedicate ourselves to this thing completely, it needed to make a bigger impact on an industry that was broken in so many ways.

Marty Roesch, the founder of Sourcefire was a big inspiration for us. We had worked with him through the open source community and had a lot of respect for what he’d created. His company was well on its way to success, having IPO’ed a couple years prior to our founding.

We decided early on that we didn’t care what the analysts thought or whatever magic quadrant or bucket investors wanted to place us in. We just knew as long as we were delivering real value to real customers, we would eventually have a successful company.

In cybersecurity, Dug and I saw an industry we were both passionate about, but also one that was mired in negativity, toxic rhetoric, and snake oil that was pawned off on helpless organizations, who knew half their security budget was wasted, but didn’t know which half. It was an industry only serving the top 1% of organizations, with solutions that were both ineffective AND incredibly painful to deploy, manage, and use. It was an industry that thrived on complexity, and piling on more more more without tackling the fundamentals. Heck, companies had to buy entire products and build new teams just to babysit all the other products they had already bought.

We knew there was a better way, for the industry and for organizations. We want to flip the script of every security company that had come before us and do what we thought was right. It wasn’t exactly rocket science...take what every other company does, and basically do the opposite! Solve the right problems in security, treat customers the right way, market and sell with authenticity, and build an organization that can sustain those principles. So, we started our company with a mission: “Democratize security by making it easy and effective”. Pretty simple, as it should be.

It’s weird to start a company before knowing what problem you want to solve. But it’s good to know what kind of company you want to be when you grow up, before you figure out what product you’ll build to get there. For us, it was simple: talk to customers to understand their challenges. In the early 2010s, everyone was getting breached through credential theft and phishing. Of course. And not just large enterprises, but mid-market and even SMB companies. Attackers realized that going after smaller organizations at scale had a great ROI vs going elephant hunting. Everyone needed effective security. Of course. Strong multi-factor authentication was the solution. And an old incumbent product owned the majority of the market, despite the fact that it was near universally despised. That incumbent technology had been invented in 1985, literally the oldest category in security, and hadn’t really changed in several decades. Of course. None of these facts were novel discoveries. Every practitioner knew this to be the state of the security world in 2010. Passwords were failing to answer the basic question of “Who’s actually logging in?” The problem was staring us right in the face.

It certainly wasn’t a sexy or exciting area of security. Given our backgrounds, many colleagues expected Dug and I to come up with some fancy new thing. Maybe a new AI/ML-powered IDS. Maybe a new-fangled mobile security solution. It had to be Next-Gen Something, right? In some ways, we had to get over our own egos, and build what we knew what needed. Simple and usable multi-factor authentication. Security that focused on the fundamental problems that organizations of all shapes and sizes faced. Security that was easy and effective. Security that was built for people, not machines.

One of the great things about working in tech is that nothing is stagnant. Everything is constantly evolving. And that’s a challenge that keeps me fired up every single day.

In hindsight, it’s all obvious. A multi-billion dollar TAM, an incumbent ripe for disruption, and the technological mega-trends of cloud and mobile that were about to shake-up the entire IT and security industry in both positive and negative ways. But it wasn’t obvious at the time. We had to face down 20-30 mid-sized “tokenless” competitors that we had to believe we would somehow out-innovate. We had to weather the dismissive early investors that said “You’re building a company in Michigan?!?” We had to combat competitive FUD that we were just “five guys in a basement” (well, that was actually true, except we didn’t work in a basement). We had to believe that our vision for the future of security was correct and we’d be on the right side of history, even if it didn’t fit into any analyst category.

So we foolishly dove in, driven solely by our belief that doing things differently and doing the “Right Thing” for our customers, our team, and the industry would win out in the end.


All these years later, I’m incredibly proud of what we accomplished with Duo and especially of the way we built it.

But still, when it comes to being a founder, I know that there’s still so much more I have to learn when it comes to, well, everything. And we’re not done transforming the security industry. Cybersecurity has gone from an underground community of hackers, to a commercialized $100B+ industry, and now represents one of the biggest geopolitical challenges for the world that we’ll wrangle with for decades to come. We’re running a marathon, and we’re still just on mile 2.

This isn’t an industry of just one company though. I’ve been fortunate to grow and learn from interacting with founders of security companies that came before Duo, and there are new security companies being started on a near-daily basis. There’s nothing more fulfilling than hearing a new founder say “We want to do what Duo did”, because I know they’re not talking about what we did, but how we did it. Despite being a massive industry, security is a pretty small world where founders go out of their way to help other founders. And I’m excited to help the next generation of security founders make their own dent in the universe.

Jon Oberheide, Co-Founder of Duo Security

azhar hashem