World Internet Conference — ‘White-hat’ Hackers Key Force in Cyber Security

Wuzhen, China, Dec. 17, 2015 (source: China Daily, Cao Yin) — A very small office near the Sixth Ring Road in Beijing houses a very big dream, one that’s shared by thousands of Internet security enthusiasts across China.
Internet security enthusiasts participate in a session related to the prevention of telecommunications fraud during a forum organized by Wooyun, China’s largest online “white-hat” hacker community, held in Beijing in July. (Photo/China Daily)

The office is the home of Wooyun, the country’s largest online community of “white-hat” hackers-private individuals who deliberately hack corporate and government computer systems to detect and expose security loopholes and help prevent cyber-attacks.

Their dream is to build the ultimate, impregnable cyber-fortress.

Fang Xiaodun, one of the community’s co-founders, said that unlike regular hackers, who discover security risks or potential sites of attack in the hope of financial gain, “our aim is to use the advantage our computing or online skills give us to do good deeds in cyberspace”.

As far back as 2010, Fang frequently spent his weekends at a cafe with employees of Chinese Internet giants, such as Baidu, a Chinese search engine, discussing online security problems and how to solve them.

“We shared the discoveries we had made at our own companies, and often found that some of the problems were similar. But lack of communication and the fact that we worked for different businesses meant that all of us had solved them ourselves,” Fang, 28, said.

Planting a seed

Fang Xiaodun (second from left), a co-founder of Wooyun community, joins a discussion about Internet security during the group’s July forum, which was attended by more than 2,000 members of the online community.(Photo/China Daily)

At the time, Fang and his security-conscious friends planted a seed that would lead to the foundation of a platform where reports of potential security loopholes could be received and forwarded to the relevant parties.

The platform is Wooyun, founded in July 2010 by 10 online security experts. Five years later, the computer and Internet watchdog has a team of more than 30 core employees, plus about 20,000 online members. Now it is attempting to extend its reach overseas, helping to detect global security loopholes and discussing how to prevent or solve them, Fang said.

“Cybersecurity is an issue without boundaries, and sometimes things need to be shared and solved via an international think tank,” he said, adding that the platform’s work is not only crucial to the protection of cyberspace, but also a means of furthering members’ dream of total security.

In October, Fang traveled to Japan to discuss “hot risk” areas and the prevention of cyberattacks with Japanese security experts.

“I learned that foreign countries have similar security problems as ours, but few of them have a platform like Wooyun to report to, which is why I intend to extend our business,” he said.

In the past, some Wooyun members looked for security loopholes overseas, “but we had no channel to inform anyone about their reports, so we plan to break through via normal communications at first”, he said.

Wooyun has connections with groups in Hong Kong, Taiwan and other places in Southeast Asia, such as Singapore, and hopes to become a bridge for reports about security risks.

“We first wanted to extend to areas where there are Chinese people, because it’s easier for them to understand our idea that loopholes should be made public when they’ve been solved,” he said, adding that the policy of full disclosure has been approved by the online members.

“Most security fans are proud of discovering problems in cyberspace. Publicly exposing loopholes after helping companies or governments close them is the best way for these amateur experts to feel a sense of achievement,” he said.

Although Wooyun had previously discovered security risks in some Western businesses, including Apple Inc, the companies declined to disclose the loopholes publicly.

“I hope our effective methods of solving security problems in Asia will help us extend further in the West,” Fang said.

Now, Wooyun reports any loopholes its member discover to the National Computer Network Emergency Response Technical Team Coordination Center of China for technical verification.

“Lots of countries and regions have similar institutes, and we first share the security information with them to open a door for communication,” he said.

Although he graduated from a university in Heilongjiang province with a bachelor’s degree in chemistry, Fang did not find his major interesting. Instead, he was addicted to computers.

“What I enjoy is conquering or circumventing games. The feeling of breaking though a barrier is fantastic,” he said.

Passionate pursuit

Meng Zhuo, one of Wooyun’s core employees, has had a passion for computers and information security since high school, when the password to his online game account was stolen.

“At the time, I really wanted to know how the ‘thief’ stole it. I bought computer-related magazines and studied them, but still had no idea. It was then I decided to learn about information security, because I was eager to know how security loopholes happened and how to repair them,” the 29-year-old hacker said.

Unlike Meng and Fang, who dreamed of devoting their time to cybersecurity work by the time they entered university, Huang Hao, 27, revived his dream in 2010, after a long hiatus.

“I was interested in information security when I was 12 or 13, because it was magical. But I thought it was too far removed from normal life,” Huang, 27, said.

Before 2010, when he arrived in Beijing to pursue a new career, Huang was employed at a steel plant Anshan, his hometown, Liaoning province.

“The factory job was not suitable for a young person,” he said.

However, a turning point came when he performed a magic trick during a gala held by his first employers in the capital.

“I received applause from the company chairman and hundreds of colleagues when I performed the trick. As they gave me the thumbs up, I felt a huge sense of achievement,” he said.

“The feeling reminded me of the days when I fell in love with information security. My dream of working in cybersecurity was reawakened right then,” said Huang, who became a Wooyun employee in July last year.

Irrespective of their place of origin, the dream that drives Wooyun’s members and other “white-hat” hackers-impregnable cyberspace-continues to dominate their lives.

“Now we want more businesses to improve their awareness and initiate inspections to determine if their products or services are safe, thereby improving the online environment from the roots,” Meng said.

Government pledges to cultivate more cybertalents

Chinese information security professionals and enthusiasts will soon have more opportunities and channels to access information related to cybersecurity, after the central government highlighted the issue.

A series of high-profile data leaks and thefts in several countries has prompted the government to prioritize improvements in cybersecurity education, and train a new generation of talented students, said Zuo Xiaodong, vice-president of the China Information Security Research Institute.

The State Council has approved information security as a university major, and several colleges and schools have already applied to the Ministry of Education for permission to establish courses, he said.

“The ministry is also conducting research into the subject; studying the kinds of books that will be needed, what kind of courses will be provided and which teachers should be allocated to those courses,” he said.

Fang Xiaodun, co-founder of Wooyun, China’s biggest online “white-hat” hacker community, said industry professionals have been discussing the issue for a long time, especially the need to cultivate new talent, “because the level of education currently provided in schools lags far behind industry developments”.

“White-hat” hackers are individuals who hack corporate or government computer systems to identify security loopholes and prevent cyberattacks.

The information taught in some universities and colleges is inconsistent with the current state of the industry, Fang said.

Fang’s view was echoed by Zhai Jiajia, an information-security enthusiast who recently graduated from a university in the Guangxi Zhuang autonomous region. She said her classes dealt in outdated information and failed to address the hot issues in the industry.

“When I began dealing with cybersecurity-related affairs as an intern at Wooyun, I realized that practical security problems are much more complex and serious than what I was taught at college,” the 21-year-old said.