"I look at the world through a hacker’s lens"
Lookout co-founder John Hering, on solving post-PC security.
“A lot of people ask me what being a hacker really means,” says Lookout co-founder and executive chairman (since April) John Hering, as sunlight floods a 27th floor meeting-room in the company’s downtown San Francisco HQ. “To me it’s someone who is innately curious and interested in systems, and does something with systems that their creators couldn’t have imagined or didn’t intend to be possible.”
He adds: “That definition is how I look at the world – through the lens of being a hacker.”
Hering started programming when he was just seven years old, growing up immersed in computers and, a little later, the Internet. He met his co-founders James Burgess and Kevin Mahaffey at the University of Southern California (actually, he first encountered James in high school, but says they only talked “a couple of times” back then), and the trio became close friends sharing a deep fascination with emergent mobile and wireless technology.
“It wasn’t obvious then that mobile security would be a big deal,” says Hering, now 30. “At the time there was Nokia Symbian S60, Windows Mobile and BlackBerry, but none of them were really smart OSs and their unit volume [sale] was very minimal. We ended up discovering some really interesting security vulnerabilities in the Bluetooth stack that affected a number of handsets, namely Nokia, that allowed us to remotely exploit the devices.” He smiles: “It was pretty James Bond.”
Actually Hering’s somewhat downplaying what was essentially a spectacular stunt. By teaming up with researcher friends from the UK and Austria, they were able to show that it was possible to hack into other people’s cell-phones, via Bluetooth, from a distance of up to 1.2 miles.
When they first pointed this out to Nokia, the company’s reaction was one of “you crazy kids!”, Hering recalls. “They said that while they acknowledged this [security vulnerability] issue, the range of Bluetooth is very short and so it’s impractical, and no one is going to do it.
“But to be a great entrepreneur you inherently need a healthy dose of scepticism when someone says something’s impossible, and a great lesson in life for companies is don’t ever challenge college hackers, with infinite amounts of time on their hands, by saying that something’s not possible, because it almost certainly is."
“Kevin, my co-founder, is an electrical engineer by education and is just brilliant in that field, and he was able to help assemble some custom gear, which was made from off-the-shelf parts, that allowed us to extend the range of Bluetooth from 100 metres to 1.2 miles.
“We then took it a step further, by putting the gear in a backpack and walking the red carpet at the Academy Awards in Los Angeles. We demonstrated that many celebrities’ cell-phones were vulnerable to hacking – although we didn’t actually hack their phones, just demonstrated that it was possible,” he adds. “That ended up getting a lot of attention and building awareness around the issue, which was great.”
All of a sudden, the team found their calls to the telco giants were being returned. “After that we started to collaborate and worked very closely with a number of companies, including Motorola and Microsoft, which was really exciting,” says Hering. “It then became apparent, when the iPhone shipped in 2007 and Android in 2008 that the future of computing was here. All of the work and research we had done, over three years or so, put us way ahead of the curve. The bet we’d made that mobile security would be important, really started to manifest itself.”
The post-PC era.
Hering and his co-founders set about raising venture capital and started down the long, twisting path of building the leading security company for the post-PC era. Asked to reflect on how the Lookout team had the foresight to spot a glaring opportunity in mobile security, long before it became obvious to multi-nationals, Hering pinpoints how the founders had all come of age as members of the ‘Internet generation’. “What I mean by that is that we all started using the Internet in its infancy, right at the very beginning of a lot of important technology trends and the hacking community in general.
“As we looked at what was possible with mobile computing and high-speed networks, it became very obvious that the shift from computing at your desk to computing in your pocket would be just incredibly important to the world.
“It had very little to do with security. Computer and information security is nothing but an artefact of computing, and the larger the computing landscape, the larger the opportunity for the bad guys to do harm. It was our belief that if smartphones and tablets massively exploded, then security would be an important problem that needed to be solved. So our primary bet was on the relevance of smartphones and tablet adoption -- and we were very lucky in our timing.”
The team waited for just the right moment to launch Lookout, he says. “It would have been very easy to have been impatient and given up after a few years, and we would have missed the opportunity to build this company. So not only was it timing, but our willingness and fortitude to forge on, because we had such a deep-seated belief in what we were doing and we were doing it because we loved it.”
Why does he think the incumbent security companies were slow to grasp the rapid rise of mobile (and tablets)?
“It’s not that they weren’t aware of mobile, but they were absolutely under-investing and did not appreciate what it would mean in the early days,” he replies. “Today they do. But it’s pretty obvious today. I would say that it has a lot to do with that founder DNA. We don’t play golf at the weekend, we do this stuff and this is who we are.
“It’s very different when you have a large company, where they’re focused on their cash cow and their quarter-to-quarter earnings. It’s hard to take big bets. Especially when the company is not run by people close to the technology and the things that are shaping the world.”
Billions of events
Another reason Lookout outflanked its heavyweight rivals, was that the team spotted early on that data and cloud infrastructure would be the future of helping solve information security. “We had a very specific strategy that we would build our product in a way that everyone could use it, as long as they chose to contribute, and they would become part of a giant community that allows us to analyse data and predict potential threats around the world, in real time.
“We process billions of events per day. That allows us to synthesize, out of those events, and predict what the threats actually are - and that’s made possible by our user base. So our user base is this giant sensor network, if you will, helping us to better predict and block security breaches and fraud, allowing for real-time analysis beyond samples. Our vision is how does the world become more secure as it becomes more connected?”
Asked for a key piece of advice for young entrepreneurs, Hering singles out being passionate about the field they are launching a company in.
“At the end of the day, that’s what’s going to take you through building a company of significance, because it’s going to be hard – and, statistically speaking, it’s nearly impossible to do -- so if you don’t have something that you are truly passionate about, then it’s almost impossible to make it work.”
Indeed, Lookout’s founders began working on their project in 2003-04, days which Hering now describes as “some of the happiest times of [his] life”.
“We lived very simply. We all lived together in a loft, I think we lived on about $3,000 per month for the three of us. It was crazy, but awesome, spending time with my friends, hacking, working on interesting projects, getting recognition for our hard work from the research community, from the Internet. It was fantastic so there was no other path - it was just obvious to us that this is what we needed to be doing.”
However, passion alone isn’t enough, he says. It has to be combined with a “massive technological market trend”.
“You can have something you are really passionate about, and have it only impact one million people on the planet,” he explains. “But what really helps create a global business is when a passion intersects with something that impacts hundreds of millions or billions of people -- then you’re really onto something. So spotting opportunity has a lot to do with being able to synthesise something you’re genuinely passionate about, and you’re willing to work on through all hardship, with being able to identify massive market opportunities, even before those opportunities have become massive.”
Already firmly established in the US, Lookout was engaged in a concerted European push at the time this interview was conducted. Today the company has a European hub in London, where it employs 240 people.
Set up for success
“The European market opportunity is huge”, says Hering, who had just stepped off the red-eye from London, when we met. “We already had significant traction from an end-user perspective through app stores and through the Internet, but it became apparent to us that if we really wanted to achieve true scale and velocity on a global basis, then we would have to have a physical operation in Europe that allows us to deal with users from a support perspective, partners from a distribution perspective and local marketing.
“While you can reach the world through the Internet, it’s hard to truly appreciate the cultural nuances of being successful in a market unless you have boots on the ground. So we decided that it would be very important for us to invest there.
“Now we were fortunate that we were already set up for success. We have major investors based out of London, including Index Ventures, which gave us a huge advantage from a traction perspective in recruiting and building our infrastructure. And we had a user base that was already growing very quickly that we could ride on the back of. The reason we moved to London was very simple: for talent. To hire the best people that we possibly could.”
Lookout, which has already built up a user-base of over 50m, aims to grow to hundreds of millions of users in the coming years and expand into the competitive enterprise security space, targeting large enterprise. The company recently announced a funding round of $150 million, more than doubling its funding to date and scoring the largest security investment so far this year.
Why large enterprise? “The numbers tell the story,” says Hering. “There are already several billion smartphone users around the world, with 1.7bn new smartphone and tablets expected this year alone. Lookout is uniquely positioned to address these security challenges, leveraging its innovative security technology to predict and block vulnerabilities.
“But then in addition to scaling what we have, it’s all about where do we evolve and where do we take the company next? We are playing for the long term. The market is there, the opportunity is there, the time window is here in front of us and we need to capitalize.”
Ten years from now, he continues, almost everything will be connected, from our home thermostats to our cars, microwaves and refrigerators. “There are different reasons to exploit different things. Your coffee-maker may not be that interesting to an attacker, but your car will be.
“And so building security that lays on top of the foundation of Internet-connected things will probably be a very important opportunity, and while I can’t tell you yet what it is we’ll build, we’re spending a lot of time thinking about what the technology landscape will look like, so that we’ll be in the best position to win.”