(Chinese Version)

Yes, companies do hire some hackers from time to time to test the vulnerabilities of their systems, but no one has ever hired Adrian Lamo, one of the top five notorious black hat hackers in the world. In 2002 and 2003, Lamo hacked the systems of several big companies just for pleasure. Among all objects ever hacked by Lamo, we see such giants as Yahoo, Citibank and Bank of America, etc. Lamo was fined 65,000 dollars and sentenced to six months house arrest and two years disciplinary probation.

Lamo is a typical hacker around the world. Since 1990s, with the spread of the Internet among young Chinese, three hacking organizations came into existence, that is, the Chinese Red League, the Chinese Hawks League, and the Chinese Hackers League. Chinese hackers first grabbed public attention after the Sino-US Hacker War in 2001.

After 14 years, most of these “patriotic” hackers have already given up hacking. However, with the spread of hacking techniques, people are facing increasing threats from hackers. Today, hackers no longer mean computer experts, but rather the destroyer of people’s information security.

In fact, some hackers are good, and can be hired by companies to break into protected systems and networks to test and assess their security. They use their skills to improve security by exposing vulnerabilities before malicious hackers can detect and exploit them. Other hackers are “malicious”, refuse to be hired, and attack websites for pleasure, as Lamo did.

This article aims to help you have a basic idea of the different strategies adopted by three generations of Chinese hackers, the 70s, the 80s and the 90s. Although their strategies differ a lot, they all belong to the same group of people: hackers.

70s: Hacking as an interest

In the 1990s, when people still needed dial-up modems to surf the Internet, Yu Yang, a college student majoring in medicine, buried his head in downloading reports on information security. For fear that the Internet was broken, Yu Yang would jot down as many information as he could.

This med school student was later nicknamed as Tombkeeper, or TK Master. In general, people may think that hackers must be crazy, maverick and cynical. Yu Yang, however, seemed very polite and well-mannered on the phone. When we asked for his comment on the gap of information security level between China and developed countries, he didn’t give any bitter or absolute answer, but only suggested that “the gap is narrower”. Today, Yu Yang is more like an expert on information security, but rather a hacker.

Born in the 1990s, Yu Yang studied very hard during college. He spent most of his money buying books on information security. Years of hard work paid off later, when he was appointed as an expert on Internet security during the Beijing Olympic, becoming the first Chinese to issue a report on the possible challenges from Stuxnet, and one of the two 100,00 dollars winners of Microsoft hole detecting competition.

After graduation, Yu Yang didn’t become a doctor, but chose to work in an information security company. He was pretty well paid and earned at least 8,000 RMB a month. Since few people understood what information security was at that time, Yu Yang would simply introduce his work as something to do with computers. That’s why many people thought that his work was to assemble computers. Yu Yang was quite lonely at that time, since nobody around him understood what he was doing.

Later, Yu Yang went to Tencent, established his own laboratory called “Xuanwu”, and got pretty wealthy and accomplished. When he looked back, he insisted that he changed his job not to improve his income. In fact, few people were able to and willing to work on information security at that time.

80s: Hacking as a part-time job

In April 2002, the Chinese Internet Association criminalized organized attack behaviors. The Red League was brought to its knees by this action, becoming a website with very little traffic. Some hackers gave up hacking and had got to turn to tech companies and seek for more opportunities in this circle, others stuck to hacking while earning their bread.

On the surface, H was only an owner of a print shop. In private, however, he was a professional and seasoned hacker. With the money he earned from the print shop, H got to stick to his interest on information security. Yet, all the firewall tools he developed after hours of hard work were free to download on firewall online forums and communities. “If these tools are charged, then nobody would use them,” said H. H attached greater importance to developing these effective firewall tools than making profit out of them.

H was not accustomed to being referred to as a “white hat hacker”, because the thought this term misunderstood hackers’ job as merely finding out new holes and weaknesses. “A real hacker will spend more time researching, testing systems and working out solutions to improve systems, instead of hacking into websites and stealing information for fun. The so-called war between hackers and web owners is merely fiction, ” he explained.

90s: Hacking as a job

Compared with the 70s and 80s, the 90s are more straightforward. Li Chao (not his real name), born in 1997, was a junior high student in Xinjiang province, and an experienced hacker. When we contacted him, he was happy to tell us his story. Angry at others’ stealing his QQ account in the childhood, Li Chao began to learn how to steal others’ account. Gradually, he stopped stealing and began to find out weaknesses and holes of systems. Up till now, he’s already found out over 400 holes in total.

For Meng Zhuo, the co-founder of Wooyun.com, having something to show off was one of the incentives for the 90s to join Wooyun. Deng Huan was a technician in Qihoo 360’s Patching the Sky team. During senior high, he used to hack his school’s website, and control all the computers in net bars, so that he could surf the Internet for free and refer to other customers’ browse history on their computers. To show off, he would even reboot all the computers when he was going to leave. In college, he hacked the network billing system not only to surf the Internet for free, but also hack other systems as well. After the college found out who the hacker was, he was “invited” to have a talk with the dean and the department counselor.

These hackers conformed to people’s impression towards hackers.

Today, more and more young hackers are accumulating on hole-reporting platforms such as Wooyun and Patching your sky, etc. It is estimated that Wooyun has 11,000 white hat hackers, while Patching your sky has over 100 hacking teams. So we may have a clue about the total number of white hat hackers in China.

In the following sector, I will try to help you have a deeper look into the world of hackers:

From being discriminated to being valued

Yu Yang was happy to see that hackers were becoming more popular than before. Indeed. Just a few months ago, two Internet security companies were debating over which company was the winner of the global Internet security competition. In the following months, at least 5 competitions, summits and dialogues are going to be held across China. On Feb 27th 2014, a special team on Internet security and information was set up by CPC, which suggested that ensuring Internet security was listed as one of the national strategies of China. Since then, hacking became a hot topic in China.

In the past, hackers were not only discriminated, but also ill-paid (less than 3,000 RMB). At that time, hackers were isolated, since there wasn’t any giant Internet security company then.

Today, “hackers who have more than 5-year experience can earn over 500,000 RMB a year,” Meng Zhuo said in pride. Yang Qing, a director of a Chinese Internet security platform, used to earn 2,500 RMB a month as an Internet security detector, less than half of a developer, when he first entered the job market.   When we looked back, he said that: “Nobody was willing to work on Internet security at that time, since opportunities were quite limited in this sector. Internet security detectors were generally contracted workers, and attached little importance.”

Today, even a low-level Internet security detector, or a white hat hacker, can earn over 100,000 RMB annually. Those self-employed white hat hackers can also make a lot of money by finding out holes for some Internet companies.

Li Chao, the hacker from Xinjiang province, could earn around 10,000 a month. If he could find a big hole, then he would be able to earn over 50,000 RMB a month. “Companies such as BAT paid a lot for their holes,” Li Chao was very confident about his future, though he didn’t even go to college yet.

More and more young people were attracted to work in this sector due to the high income. Yang Qing told us that it had become easier to become a white hat hacker. He estimated that there were at least 100,000 low-level white hat hackers in China.

Insiders of Internet security often divide white hat hackers into four levels: low-level hackers take up 90% and can attack only via others’ scripts; middle-level hackers understand Internet security well and are able to attack and defend; high-level hackers (less than 1000) not only understand the Internet well, but can also turn their ideas into tools so as to detect holes more thoroughly; advanced level hackers (less than 50) understand the nature of Internet safety and can work out a whole set of solutions for possible attacks. Although these people are paid over 1 million a year, few hackers can reach this level.

A short time before our interview, H declined an offer from an Internet giant, worrying that he would have to work under great pressure and “ensure the Internet safety of the whole nation”. He preferred freedom, but also admitted that he also had to earn bread for his family.

Fame is always the biggest challenge

For H, fame is the biggest challenge for hackers. “Many hackers gave up working by themselves and joined Internet giants such as BAT,” H said. He gave us an example about W, an advanced hacker at that time. When he became well-known in the circle, he left his team and set up another platform. Since then, he spent most of his time attending conferences, instead of issuing reports on his research.

“After these advanced white hat hackers joined Internet giants such as BAT and Qihoo 360, they stopped making progress and could never make breakthroughs,” an insider told us. Anyhow, it remains to see if this phenomenon will do good or harm to the development of Internet security industry in China.

[The article is published and edited with authorization from the author @IT Times, please note source and hyperlink when reproduce.]

Translated by Levin Feng (Senior Translator at ECHO), working for TMTpost.