White hats and black hats in the hacker field

Just as Bai Maofa and black magic, in the field of hackers also should be divided into "white hat" and "Black Hat." As the "information Police", Fonglenton has been a "Gandalf" in the field of hacking for the past 8 years, and is dedicated to "Voldemort". Recently exposed Ctrip "loophole door" event, let Fonglenton and create the network vulnerability reporting platform-cloud network again to the front. Fonglenton, who has just reached the age of 27, says he has now assembled 5,000 white-hat hackers scattered across various fields to crack down on the security vulnerabilities in the country's major websites. Fonglenton said, "dark clouds" is the cloud era cover in the information thieves and Internet companies on the head of a warning curse, hope that every time the clouds see Fog is a network security progress.

Self-taught hacker talent

2002, 15-Year-old Hubei lad Fonglenton was admitted to the Harbin University of Science and Technology chemistry major. "When I was a kid, I was interested in computers and I was studying Internet technology myself. "In Fonglenton's eyes, technology is really nothing, and by self-study you can become an expert." "At that time, there are many Internet technology tutorials and discussion community, as long as they are willing to learn, everyone can become a technical master, security technology is not a school can be taught." ”

In the four years of college, Fonglenton almost all studied hacker technology. You know, network security is always an integrated attack and defense, the hacker's Dan is through actual combat practice. So, Fonglenton Black School website, do their own network technology type of community website, when the small groups of network technology often staged technology "rush", and Fonglenton are the main force. "At that time, everyone black to go to the ground than technology, around 2004, the entire internet is not as deep as now everyone's life, network security is purely technical existence." Later did not black, we find some common software vulnerabilities, after discovering that the developers feel very fulfilling. ”

At first, because of the fun to do, but for Fonglenton to provide the first job, but also let him into the real sense of the network security engineer. In 2006, the graduating Fonglenton discovered a software company's product flaw, when the company served hundreds of thousands of of customers who could radiate hundreds of millions of users.

"After discovering the loophole, I contacted the company through the Internet community, and they were curious to invite me to Beijing to talk to their bosses," he said. Fonglenton said, "We are very happy, after graduation I entered the company, dedicated to the software security protection work." ”

Baidu digs the corner to change the body safety expert

In a sense, Fonglenton is also a "hacker", but not a spoiler. 2008, Fonglenton in the field of network security has been a duck in the net, there are internet companies to dig horns, and the most let Fonglenton echocardiography, is Baidu.

Internet companies, "code farmers" and "technical apes" have a habit, is the "mixed community." These big and small online technology community is China's Internet master and Hacker's distributing center, this kind of organization is extremely loose, everybody is matched by the net name, but is such network forum but strictly seniority.

"In our safe community, as long as you are good enough, a lot of people will recommend you, Baidu is through this community to find me." Fonglenton said that at the time, although working in a software company for two years, but have not tried to face a large company platform. "So I'm going to change the environment and see if I can do a good job of security in a big platform." ”

From 2008 into the Baidu to leave in 2011, Fonglenton in Baidu Step-by-step to achieve the senior security engineers, the main responsibility is to resist hacker intrusion, and Baidu's security team from the original five or six people developed into more than 30 people's "hacker protection wall."

Speaking of the reasons for leaving Baidu, Fonglenton said, mainly because of the ideal, want to use their technology for more internet companies to solve security problems. "A white hat hacker, in addition to being interested in technology, has to have a positive energy ideal," he said. "In fact, Baidu's main business is the search engine, so the entire Internet domain has limitations, for the time of Fonglenton, Baidu left him the space has been extremely limited." "In Baidu can only do Baidu, the entire Internet in addition to Baidu has a lot of space, so I think, can do something in a larger space." ”

The main cloud has a reputation

In fact, as early as July 2010, Fonglenton on the United Sina, 360 of the two white Hat engineers, together to create a cloud net, was founded to solve Baidu and Baidu and similar enterprises. When it comes to the origin of the "black Cloud" name, Fonglenton said that cloud technology was developing at a strong momentum, many companies are Shanyun convenient, low-cost, but in fact, before a problem affects only one or two users, the use of cloud technology may affect tens of millions of people. "Dark clouds are trying to tell you that cloud technology is risky, and that dark clouds are an early warning." ”

Since the first day of its existence, the dark clouds have been positioned as a non-profit organization between white hats and businesses, given what they have done to offend. 2011, just set up a year of cloud network continuously disclosed Jingdong (rolling information), Alipay, NetEase and other famous internet companies have high-risk loopholes. Since then, the dark clouds are also pointed out that Alipay 25 million user data leakage, such as home Hotel open room information leakage, Tencent 70 million QQ group of users data leakage and a series of security issues, almost war war, a time black cloud reputation big noise.

"We are from a small technical circle, so the first focus on the big internet companies, and then many white hats will be submitted to government departments, large state-owned websites of the vulnerability report, but as a third-party agency, it is difficult to coordinate with these agencies, so that they provide improved information." "Is Fonglenton suffer how to solve this problem when the mouth, at the end of 2011, the Ministry of Public Information Security vulnerability of the public platform," the head of the initiative to seek cooperation, hope cloud can share data information, by the platform to promote the government, central enterprises to improve the system.

"There are two sponsors of the cloud: The national Information security vulnerability sharing platform and the Guangdong Information Security Assessment Center, they will provide regular funding every year, basically can cover our costs." "Fonglenton said," and with these two platforms, the cloud becomes a cover for internet companies, finance, large and medium-sized enterprises, government agencies web site of the industry-wide vulnerability entrance. ”

Calling himself an engineer, unwilling to be a businessman

Despite the sponsorship, 2011 remains the most difficult period of dark clouds. In December 2011, dark Clouds disclosed information about the disclosure of more than 6 million user data from the country's renowned technology community, Csdn. After the data was released, many people used the data to attack other companies, and the dark clouds were widely questioned. December 29, Cloud Network announced the temporary closure, said the future will be selective disclosure loopholes to reduce the impact. Half a month later, the cloud net of the realignment of disclosure rules resumed access.

Fonglenton said that the dark clouds at the beginning of the creation of a lot of time and business, regulatory authorities to explain the role of the cloud is only the equivalent of security warning, not hacker behavior. Up to now, the cloud has disclosed nearly 50,000 network security vulnerabilities, including Ctrip, Tencent, Taobao and other well-known enterprises, including 524 manufacturers in the cloud registration. And the cloud's technical team-white hat has reached 5,000, the white hat hackers have the major companies of the network security engineers, there are IT employees, there are white-collar workers, lawyers and even chefs. With the popularity of the rise, more and more people began to accept the clouds.

But there are also a lot of voices questioning the dark clouds. Hacker circles have this kind of saying: The hacker invades the website to steal the information, as long as the cloud net to the manufacturer submits the loophole, can wash white. In only the white hat to be audited to enter the cloud network in the private forum, black industry, net profit, cyber war and other topics have a special discussion plate, Cloud was once referred to as "China's largest hacker training base."

In the face of doubt, Fonglenton very indifferent. "One of the biggest problems with cyber security is that we don't know what our opponents are doing, and we set up these discussions to study black hat technology and better block hackers," he said. Fonglenton said, "The real hackers do not want to wash white, it is best not to let anyone know what he did, how will also actively notify the enterprise." ”

In fact, from Baidu to set up clouds, Fonglenton income reduced a lot. While not thinking about making money for the time being, Fonglenton and his team are doing a little business thinking about the future. "Now dark clouds are finding problems, providing free warning information." The future around the cloud platform, we can also take a step forward, the white hat and enterprises linked to provide code changes, repair loopholes and other solutions, this part of the service is charged. ”

Fonglenton Frankly, the cloud itself will not become a for-profit security technology intermediary, will continue the online public service model. "I feel like I'm still a technician, not a businessman," he said. ”

noun explanation • White hat hacker

White hat hackers refer to hackers who use their own hacking techniques to do "good" things, a bit like the nature of cyber-security engineers. Typically, white-hat hackers attack their own systems or are hired to attack a client's system for security review.

-The idealist of the realistic fringe of character sketch

Fonglenton was first seen in the IT enterprises gathered in Zhongguancun, long hair, t-shirts, human word drag, looks more like a literary youth, not hacker technology male. In Baidu search Fonglenton, the most widely spread is not black clouds, not white hat hackers, but he and Li on Hunan Satellite TV "Day Up" on the show, to leave his girlfriend sang that a bit of a walk tone of "nothing."

Fonglenton said he had been too crazy about technology, and studied technology on the web, in addition to eating and sleeping. Now in charge of the dark clouds, a lot of transactional work, technology put down a lot, only a little of the ideal has never put down. Fonglenton's ideal is to make network security issues more transparent, enterprises can pay more attention to safety, white hat wages can improve a little.

However, Fonglenton often said, now the Internet industry environment is not good enough to achieve such an ideal is actually very difficult. You know, white hat and black hat income gap is the monthly income of 10,000 and daily income gap of 10,000. "The original white hat hackers, go to Baidu, do dark clouds themselves did not think, now clouds and other platforms to do also did not completely think good." The road is a step-by-step precipitation out, not to come out, dark clouds now just do their own thing. At this time, Fonglenton became a practical science and technology man.

>> Talk about the dilemma

The main resistance comes from bat Big Three.

Beijing times: Dark clouds such disclosure model corporate recognition?

Fonglenton: It should be said that most enterprises are still very approved. But there are also enterprises hope that we do not care about security, rest assured that their software, put money in their accounts, and we do is to want everyone to pay attention to safety, so this is not recognized but some.

Jinghua Times: Is this not a lot of recognition?

Fonglenton: This resistance is mainly from bat (Baidu, Alibaba (rolling information), Tencent). Many companies now offer rewards or bonuses to people who find loopholes, and their bonuses are certainly part of the solution, but more to the point of not wanting the public to know about security issues. None of the problems we expose have been rewarded, but only the people who have given them the problem and solved it in private.

Jinghua Times: In this case, did bat's people find you in private?

Fonglenton: The first search, we did not agree, because our rules are based on whatever reason must be open to the user. Then they changed their strategy, which was to pay a hefty reward to their engineers, and the loophole was closed to the user. It's fun here.

Jinghua Times: Will this bring some impact to the dark clouds?

Fonglenton: There will be, but the whole industry is getting more and more secure, and we're also thinking about how to fight bat in a better way. Because only the public understand the loopholes and security issues, the entire industry will exist, enterprises will be willing to invest more in the security field, white Hat survival status, public information security can be better protected. In the past, we do not attach importance to safety, enterprises do not invest, white hat treatment is not good, in order to live more people will do the black industry, we hope to change this cycle, so that enterprises in the face of security issues when the information more transparent.

>> Talk about hype

There are three kinds of people who are most dissatisfied with us.

Beijing Times: Some people questioned the disclosure of the cloud is to catch the eye of the "title Party", How the dark clouds are internal regulation?

Fonglenton: We pay special attention to the title, now we have 3 people dedicated to the white hat to submit the vulnerability Report audit and objective processing. But there is a contradiction can not handle, recently there is a case, Alibaba believes that a certain level of vulnerability is low, but the white hat after looking at it is not the case, he took the problem to demonstrate, found that the danger level of this problem is high. To the enterprise must be the impact of the smaller the better, but for the white hat is the truer the better, so we can easily be said to be "title party." But after 45 days, we will disclose all the details of the loophole, the fact is here, objective or not everyone to judge.

Beijing Times: There is also a doubt that the dark clouds will hype themselves, what do you think of the sound?

Fonglenton: These voices are very strange, the enterprise will say so. Ali, Tencent's PR is very strong, this voice can not stop. There are people who are dissatisfied with what we do, we can only do our own thing. What I want to say is that there are three categories of people who are most dissatisfied with us: one is to hope that users do not pay attention to the safety of large enterprises; The second is the black industry, we have directly blocked a lot of black industry chain; third, companies that want to profit through information closures, such as security companies that used to intimidate users through vulnerabilities, we disclose all information, Against them.

>> About Rewards

Companies give white hats incentives to be regulated

Beijing Times: White hat tells the enterprise system loophole, many enterprises will give rewards, right?

Fonglenton: We are non-profit organizations, or want to make a bridge, now many companies are very friendly to the hat. The latest modern Sky music festival, we exposed a loophole, the organizers are willing to give 30 tickets to reward white hat. We will only contradict those who are hostile to the user's knowledge of the security issue.

Jinghua Times: These people are bat?

Fonglenton: The way of the Internet community is different from the way of business, if we are a for-profit organization there is no way to balance. So the clouds and the bat are not opposites, and we're trying to communicate with them at the top, but I think it will take a long time.

Jinghua Times: Is there a management mechanism for rewards offered by enterprises?

Fonglenton: Usually we have companies and white hats directly linked to send them small gifts. The ministry's sponsorship will regularly give small prizes, and there may be books on a regular basis, which we all oversee.

>> on safety

Current domestic network security to pass

Jinghua times: What level do you think the domestic network security is?

Fonglenton: Frankly speaking, the domestic Internet security before 2011 is very bad, now much better, but with the United States than there is a big gap, can only make a passing grade. Now our country's Internet security is not enough open and transparent.

Beijing Times: Ctrip after the incident, you think the network security and ease of use between the two is not contradictory?

Fonglenton: There are no intrinsic contradictions, there may be contradictions in specific programmes, but such contradictions can be made up by other schemes. What kind of degree should be followed between safety and convenience? I think if it involves money, and the core information of the individual, it must be security first.