Computer hackers help companies maintain and improve their security by being able to access the latest information. Photo: IC
This month, three professional hackers from Shanghai became the first to break into Apple's latest iOS7.0.3 system. They did this in just 30 seconds at this year's Mobile Pwn2Own contest, an event sponsored by the TippingPoint's DVLabs, the information security service provider for the Pentagon. This year the contest was staged in Tokyo on November 13 and 14. The three professionals, Wang Qi, Chen Liang and Fang Jiahong from the Shanghai Keen Team became the first Chinese to win this international contest since it was launched in 2007. It had only been 21 days since Apple had released this system.
Although it took the three-member team just 30 seconds to hack into the system, a great deal of preliminary work had been done beforehand at the Shanghai office where all the Keen Team including their top eight hackers were involved.
Over the 20 days and nights of preparation, team leader Wang Qi, and his colleagues located a flaw which they were confident Apple had not yet discovered. If Apple had known about it and repaired it their work would have been wasted.
Hackers not crackers
Most people think of hackers as they are generally portrayed by the media - as greedy criminals or outlaws who break into computer networks or systems to steal information or money or cause damage.
Wang Qi is the 35-year-old Keen Cloud Tech CEO and team captain for the Mobile Pwn2Own 2013 contest. "Most people mistake the word hackers for the word crackers - we hackers wear white hats and crackers have black hats."
"Most Chinese think hackers are Internet thieves," said team member 29-year-old Fang Jiahong. "The definition of crackers on the Pwn2Own's website as 'script kiddies' is a perfect definition," Wang Qi explained. Although a 7-year-old child might be able to use someone else's program and hack into a website and cause damage he or she would not be able to do any more. "That is exactly what a script kiddie is."
The real purpose of the hacking contest is to show up vulnerabilities and flaws in a system's security. Security for modern complex systems is often better being checked by outside experts who have not been involved in their development. When they discover flaws or problems they inform the designers who can modify and patch their software.
Team member Fang Jiahong is a real whizz kid - he has been involved in computer programming since he was 6 when his father began teaching him how to program. He won a stack of prizes in computer programming competitions while at school and qualified as a system analyst when he was 18. After he graduated from the prestigious No.2 High School of East China Normal University, he was enrolled in China's first information security major degree course at Shanghai Jiao Tong University and, after graduating, joined Microsoft.
Fang Jiahong (working on the keyboard) and other participants at this year's Mobile Pwn2Own contest Photo: Courtesy of Keen Team
Outstanding qualifications
"All of our team have outstanding qualifications in computer science and programming. We are the ones who can bypass security programs miles and miles away from the system. We can make the keys that fit the locks on the systems, but then we hand these keys over to the system owners so that they can patch and upgrade their systems. Most black hats just use methods and keys designed by someone else to infiltrate and steal. It's easy to be a cracker, but very hard to be a hacker," Wang Qi said.
Hackers need a lot more than just a good education and sometimes even that is not a prerequisite. Another professional hacker Luo Qinglan was not top of the class in all his subjects at high school but his programming skills garnered him several major prizes in IT contests and this saw him being admitted to Shanghai's Donghua University without having to pass the gaokao, the national college entrance examinations. If he had had to pass the gaokao, his low marks in other subjects would probably have precluded Luo from being able to join a graduate course at a major university.
He was inspired to adopt a career in hacking when he was a primary school student playing online games on his musician and writer father's computer. When the computer broke down constantly his irate father asked professionals to fix it. At that stage the 11-year-old Luo began his own research and discovered that the computer had been hacked by someone who had been playing online games with him. He solved the problem by installing a firewall and this spurred his interest in hacking.
By visiting the online forums and chat rooms where China's early hackers communicated and discussed techniques, Luo became a skilled hacker. As a teenager eager to prove himself he occasionally hacked into major websites but then he saw other young hackers being caught and sentenced to prison for similar practices so he rethought his career.
Now the 25-year-old Luo has his own company, LEVSON Network Technology Co, researching and developing network information security protection techniques and helping leading China e-commerce businesses, like yhd.com and dianping.com, secure their systems.
"Information security is such an important issue for e-commerce businesses, but the way some companies approach the problem depresses me," Luo said. A striking example was when Luo and his team tried to work with a well-known website but instead of looking at solutions to their problems the company's IT departments began fighting over who was responsible.
Reality not fiction
Unlike the fictional portrayal of hackers like Lisbeth Salander or Plague in Stieg Larsson's Millennium trilogy where they are seen as introverted outsiders and sport tattoos and body piercings, real-life hacker Fang Jiahong looks like any other office worker - as do all of these professional hackers.
But unlike most office workers these guys talk about mathematics during lunch breaks. And unlike the black hat crackers who are usually loosely organized and communicate through chat rooms, the white hat hackers work together professionally.
The members of the Keen Team got to know each other through their work as information security engineers at IT companies like Microsoft, Google or Intel or with security departments in major international companies like Morgan Stanley and the Dow Chemical Company.
Their shared interest in information and network security research led them to walk away from these leading companies to create their own business. "When I worked for the Microsoft security response center I could only study Microsoft's systems and software. But now my fellow workers and I have opportunities to edge into other areas including Apple's computer and mobile systems," Fang said.
Information security degrees in Chinese universities have been developing for more than a decade, and can rival degrees from foreign universities. Although many students complete these degrees like Fang Jiahong and Luo Qinglan and have the skills, very few remain working in this field.
"The job needs a lot of enthusiasm and intense concentration. Very few people can stay concentrated, reading program codes for hours on end," Fang said.
Another reason for graduates not remaining in program security is a disparity in incomes. According to Wang Huaibin, the deputy secretary-general of the Shanghai Information Security Trade Association, the annual income of information security professionals in major international IT companies can be 1 million yuan ($164,128) but the average annual salaries of researchers in Chinese institutions is about 100,000 yuan.
Internet companies and software engineers from 66 countries and regions exchange ideas at an Internet information seminar. Photo: CFP
Back to front
Wang Huaibin said there was a back-to-front factor in starting salaries for information security graduates. Graduates from the leading universities who go to work in institutions, government departments or banks can expect an annual income of about 100,000 yuan. Graduates from second-tier universities working for security companies can collect more than 200,000 yuan annually. But self-taught "experts" with diplomas not degrees can attract 300,000 yuan annually. Some workers in IT security have no official qualifications at all but can earn as much as 500,000 yuan a year with under-the-table payments.
The anomaly stems from the way the universities structure their courses. "Although the exam scores needed to be accepted for the information security degree at Shanghai Jiao Tong University have always been the highest of all the majors over the past decade, there aren't many graduates who continue working in this area. One reason is that the degree course is mainly theoretical, but real information security work requires practical experience. We are looking at this issue and ways of encouraging young hackers who are not so successful in academic tests to join the industry."