Internet Security Platform Closed; Founder Arrested

As Chinese authorities frequently point out in response to foreign accusations that it sponsors international cyberattacks, China is also a victim of hacking. In recent years, its government departments, companies, and other organizations have had the support of a growing number of benign “white hat” hackers who warn them about newly identified vulnerabilities instead of exploiting these weaknesses or selling them to third parties.

Last month, this community suffered a heavy blow with the closure of white hat platform Wooyun and the arrest of its founder, former employee Fang Xiaodun, and others. From Josh Chin at The Wall Street Journal:

“Right now all we can do is wait and see what happens,” said one person close to Mr. Fang. “The way this is handled is crucial to how white hats operate in China in the future.”

[…] There’s considerable debate over whether it’s legal in China for white-hat to penetrate computer networks, even assuming their motivations are altruistic. Beijing has left the rules on the matter ambiguous. In July, Economic Information Daily, a newspaper published by the official Xinhua News Agency, noted the lack of clear boundaries, saying, “legally speaking there truly are some hazy areas.”

[…] A former chemistry major with long hair and glasses, Mr. Fang left a security job at search giant Baidu to concentrate on Wooyun full time in 2013. He hosted a hacker conference with Wooyun in early July. His most recent post on the popular instant message app WeChat, posted on July 18, showed a photo of him and other images from an unidentified tropical city. It had a self-improvement message: “More important than talent is the courage to become stronger. I hope that when I come back I’ll be a better me.”

The Wooyun website shut late on July 19. Early the next day, the platform issued a statement saying it was upgrading its service and would reopen shortly. “Better to put your faith in Wooyun than to believe rumors,” it said. [Source]

Hong Kong Free Press’ Gene Lin also reported on the arrests and their possible cause:

“Everything happened very abruptly, even members within Wooyun were kept in the dark,” said [a source cited by Caixin Online]. “People from Wooyun said there was no administrative procedures nor prior notice for the arrest,” the source added.

[…] According to the source, the site was not censored by external parties but instead was shut down by Wooyun members themselves as a means to minimise risk.

Multiple theories regarding the arrest have surfaced in the community. Some speculate that Wooyun was involved in legal issues after publicising certain websites’ system loopholes shortly before they were hacked by a third-party. Others suspect that Wooyun members were involved in testing the vulnerabilities of government networks without authorisation.

Zhao Zhanling, legal consultant for Internet Society of China, said it is unlikely that Wooyun members were arrested for revealing system vulnerabilities of sites that were hacked, since the hacks were not conducted on the Wooyun platform. Zhao added that the organisation might face legal issues which do not involve criminal liability. [Source]

Researcher and GreatFire.org cofounder Percy Alpha highlighted Wooyun’s closure on his blog two weeks ago, noting rumors that it was linked to vulnerabilities on sites belonging to the Ministry of Public Security, the United Front Work Department, or the Center for Disease Control and various hospitals in Beijing. He also pointed out that Vulbox, a similar service to Wooyun, had recently stopped accepting new submissions. Following confirmation of the Wooyun shutdown and , Alpha commented on their significance and likely repercussions:

[…] This marks a huge step backwards for information security in China. Rather than rewarding white hats to submit issues to vulnerability disclosure platform, the government took the shocking approach to shut down the platform. Arresting the white hats for penetrating the system regardless of his intent might be justified in a legal sense, but shutting down a platform that itself doesn’t perform any is just ridiculous. Without the vulnerability disclosure platform, white hats, let alone black hats are more likely to sell the vulnerability in the grey markets. […] The end result is that many more vulnerabilities will be unpatched due to the government’s hostile attitude.

In China, we have a saying that it’s much easier to solve the people who raise the issues rather than the issue itself. You can see such attitude in many political events and I won’t be surprised by this attitude at all. But this time, the gov takes one step further: The gov is not even solving the people who raise the issues, but the messenger. This is truly 掩耳盗铃. [self-deceit; literally, “blocking one’s ears while stealing a bell” in order to stop others from hearing the noise.] [Source]

In April, both Wooyun and Vulbox were featured in a profile of China’s growing white hat scene by Sixth Tone’s Li Xueqing, who highlighted the unclear legality of their work:

The Chinese government has recognized the positive impact of platforms like Butian in identifying tech vulnerabilities and helping to fix them. Under the guidance of the Ministry of Industry and Information Technology (MIIT), the National Computer Network Emergency Response Technical Team has collaborated with bug-finding platforms such as WooYun, Butian and Vulbox, focusing on identifying bugs in the computer systems of government institutions and other large enterprises, according to the MIIT’s website.

Despite the growing online community and backing from the central government, white hat hackers remain legally vulnerable.

Huang Jinshen, a Beijing lawyer, gave a webinar — the first of its kind in China — on the topic of legal liability and hacking to Butian members late last year. According to Huang, any breach into the system without the owner’s permission may break the law and could mean jail time if more than 20 computer systems are hacked into, or if the damages caused exceed 10,000 yuan.

“The law doesn’t have a clear characterization of white hat hacking, nor has it realized the profession’s positive impact on society,” said Huang of the legal hurdles the white hats are facing if the profession is to further develop. “It’s not enough to just tell the white hats what can’t be done. We need laws and regulations that can guide and regulate the profession and its behavior.” [Source]