Chinese white-hat hackers improve network security by identifying loopholes in companies' systems. Photo: IC

Yang Wei doesn't like being branded a "hacker," a term that conjures up images of cyber criminals working on multiple computers in smoky basements. The 24-year-old university dropout instead refers to himself as a "white hat," or ethical cyber security consultant who foils attacks by hackers.

 As cyber warfare intensifies worldwide, Yang and his peers are in growing demand from organizations eager to close security loopholes in their network systems.

Yang recently received a handwritten letter and gifts including T-shirts from UCloud, a Chinese startup that provides game server hosting services overseas.

As a satisfied client, UCloud presented the gifts to Yang and his team for strengthening the company's network security.

"It was a good sign [of recognition] and very encouraging. We hope the whole ecosphere for white-hat hackers will continue improving, and companies can adopt a better attitude about network security," said Yang.

A former mechanical engineering major, Yang is a self-taught white hat who has worked for three years at wooyun.org, a domestic Internet security monitoring platform.

"It provides opportunities for white hats to profit by alerting and solving security problems for clients," Yang said of the company.

Network security in China's private and public sectors has been tightened in the wake of hacking incidents that have wreaked huge financial losses, leaked valuable data and vandalized websites.

China's national Internet Emergency Response Coordination Office reported that, from March 19 to May 18, Trojan Horse attacks originating from the US hacked into some 1.18 million mainframe computers in China.

For many vulnerable networks, white hats are the last line of defense whose role as "cyber cops" is still largely unsung outside of the tech world.

Black-hat hackers strive to remain anonymous, but their white-hat counterparts are open about their work. Photo: IC

Out-hacking the hackers

Meng Zhuo, chief operation officer and one of the founding members of wooyun.org, said his team specializes in finding online security gaps or risks.

In addition to helping domestic companies and institutions, wooyun.org has also aided global tech heavyweights Microsoft, Google and Apple.

"We deliver reports submitted by white hats, so that [clients] can take measures to improve security," said Meng, 28.

The loopholes that attract the most attention are those within online shopping, travel and smartphone platforms, he added.

Wooyun.org aims to tackle network security issues "from the angle of non-governmental researchers," said Meng.

"A white hat's purpose is to help companies make their products and services better and more reliable, because they are users of the product or service themselves," he told Metropolitan.

"Black hats, on the other hand, find and exploit loopholes. They keep risks hidden from other people for exploitative purposes," he said.

Chinese white hats have won top awards at international hacking competitions, with recognition of their services growing through the rise of major cyber security consultancy firms Keenteam and Knownsec.

But white hats serve more than just those in the corporate world.

They also detect security risks that affect national infrastructure, such as the mining industry and urban heating systems.

When a threat is detected, white hats report it to the National Computer Network Emergency Response Technical Team Coordination Center under the Internet Emergency Response Coordination Office of Ministry of Information Industry of China.

Yang recalled once finding a security risk for a domestic company.

He alerted the company, which offered to introduce the then-unemployed computer whiz to a hiring tech firm.

"But what I expect most from companies is their gratitude rather than material rewards," said Yang.

Wan Tao, the "godfather of Chinese hackers," dedicates his work today to improving domestic Internet security and fostering an "ethical" hacker culture in China. Photo: Courtesy of Wan Tao

Battle for trust 

As a young, well-groomed man dressed in a suit working at his laptop, it's easy to mistake Yang as just another white-collar worker.

But few hackers on either side of the cyber war live up to the stereotype of bearded, introverted outcasts who conceal their faces in a hooded sweater or Guy Fawkes mask.

Yang and Meng said that the typical white hat isn't necessarily a computer science graduate from a top university.

They come from different backgrounds, including engineers, teachers and even chefs, but all have one trait in common: underappreciated skills.

"Some of us earn 3,000 yuan ($481) or less per month, and can only afford to live in the city outskirts," said Yang.

In lieu of wealth, white hats strive to build their experience and recognition in the hope a company or institution might one day offer a permanent, stable job based on their trustworthy reputation as computer experts. 

"There is too much misinformation about white hats. Many people think that all hackers are bad people," said Yang.

White hats have been the subject of flattering media reports and praise from the corporate and tech worlds overseas, but in China it remains a thankless occupation overall. Aside from even clients treating them with indifference, white hats are under constant attack from their nemesis black-hat hackers.

Wooyun.org has been attacked by black hats frustrated at having their cyber assaults thwarted by the company.

There is also a question of legality over white hats' work. One of the main concerns from companies is that by "testing" a network system's security white hats are invading privacy and potentially harvesting sensitive data.

But Yang insisted his job is only to "find the problem and alert the client without affecting business."

White-hat hackers are unsung heroes of the cyber world, whose work is typically underappreciated outside of the tech world. Photo: IC

Rise of cyber patriots 

Yang always knew he wanted to be a hacker, but he was always motivated by a "sense of justice."

Meng had a similar attitude when he began learning the ins and outs of hacking in 2003.

"I like working in Internet security because it is full of challenges," said Meng. "Society is increasingly relying on networks, which makes the security of information in these networks a top priority in national security."

Wan Tao, dubbed by domestic media as the "godfather of Chinese hackers," has also led a quest to step up cyber security with nationalist motivations. Wan is a former hongke, or "red" hacker, who masterminded a series of cyber attacks against American websites in 1999 to protest Washington's arms sales to Taiwan.

Wan founded a 400-strong hacker collective known as China Eagle Union to carry out the attacks.

"Internet security concerns our fate and direction in the future. For me, the job brings resourceful information and freedom," said Wan, who today works as a cloud computing security consultant for a multinational company.

The focus of his work has shifted to public welfare projects to support the development of grass-roots organizations.

"The simplest difference [between hackers] is that some have the spirits of freedom and innovation, while others are satisfied by skill-related achievements. Those who use unscrupulous tactics and are motivated only by self-interests with disregard for the consequences aren't 'hackers,'" he said.  

Hacker culture

Irrespective of whether the "hat" they wear is white or black, some computer experts can be tempted to abuse their power by using their skills to access sensitive data.

What separates an ethical hacker from a criminal one is the former's "strong, balanced mind and professionalism," said Wan. "It's said that a weapon in the hand raises one's mind to kill; it's a biological urge among humans. Besides deterrents of social regulations, the most important factor is a hacker's understanding of real safety."

White hats are underpaid and unappreciated compared to black hats, which Wan said undermines work by cyber security's "good guys."

"Those who work in small- and medium-sized companies or startups on their own have a lower salary than those in other [tech] careers," said Wan. 

In 2012, Wan released a manifesto titled "Hackers' Self-Discipline Convention" to reach out to the Chinese hacker community. In the document, Wan urges hackers not to abuse their skills by committing cyber crimes.

Leaking private data or hacking for profit defy the "hacker spirit," Wan wrote.

"In China, hacker culture has traditionally focused on skills and techniques. As hacker activity has thrived in recent years, a more natural hacker culture has emerged. Hacker culture should no longer be a profit-oriented, impetuous closed circle," said Wan, who heads monthly hacker conventions through Intellectual Defense Friends Lab, an organization devoted to popularizing network security.

"The only way to fundamentally change the current unfavorable situation is entrusting the State and its enterprises with social and economic responsibilities regarding Internet information security. There needs to be stronger protection of users' legal rights," he added.