If tough love is the best way to fix the world's software, then Wu Shi may be one of the information security industry's unsung heroes.
Since 2007 the 35-year-old Shanghai-based researcher has found and reported more than 100 critical flaws in Web browsers like Internet Explorer, Safari and Chrome that could be used to hijack users' computers when they browse to an infected Web page. In the last year alone he's sold more than 50 of those flaws to vulnerability bounty projects like Zero Day Initiative and iDefense, organizations at Hewlett-Packard and VeriSign, respectively, that pay researchers for bug information and use the data in security products before passing it on to affected software vendors.
In Pictures: Red White And Blue In Red China
Hong Kong's 40 Richest
Best Business Apps For Android
Ten Socially Responsible Mobile Apps
Waterproofing Your Vacation
Those numbers represent more flaws reported to Zero Day Initiative and iDefense in a single year--and certainly more vulnerabilities in Web browsers--than practically any other researcher in the world. And more than half those flaws have been in Apple's Safari browser.
In one security update last month, for instance, Apple released 64 new patches for its iPhone operating system. Only six of those security problems had been identified by Apple's internal researchers. Twelve had been identified by researchers at Google. Fifteen had been identified by Wu.
"Perhaps Apple should hire Wu Shi to help them, since apparently he can find more than twice the bugs their whole security team can find," fellow security researcher Charlie Miller told Forbes at the time.
In instant messenger and e-mail conversations, Wu explains how he uses a method known as "fuzzing" to harvest those bugs. Fuzzing a browser involves entering a stream of tweaked files into the program to see which cause it to crash, and then analyzing those crash instances to see which would allow a hacker to insert code that would give him or her control of the browser.
Wu uses his own unique algorithm to generate those test files, and throws them at his own Apache Tomcat server, allowing him to test more samples at a higher frequency than the average researcher. Instead of merely switching single variables in a file, he says his method changes the entire sample, making as many changes as possible that still allow a browser to recognize the file as HTML. "My fuzzing framework focuses on the software's structure, not the details," Wu said.
Wu doesn't perform deep analysis on the bugs he finds, says Aaron Portnoy, a research manager at ZDI who has examined his findings. But Portnoy says the Chinese researcher's full-file fuzzing catches bugs that other approaches can't. "These files have complex hierarchies of related items. Instead of changing one of those items, he can change how the relationship tree works," says Portnoy. "A lot of people fuzz data. He fuzzes relationships."
Wu says he came up with his bug-finding breakthrough after a series of career disappointments. As China's stock market bubble swelled in 2006, his job at a small IT firm began to feel like a sinking ship. "I fell deeper and deeper into despair," Wu said. "On my salary, I couldn't even feed myself."
He left the IT firm and launched a startup based on peer-to-peer file sharing technology. But when a big customer refused to pay for a major project it had commissioned, his partner took another job and the company collapsed.
Wu began assembling a security consultancy and experimenting with fuzzing ideas he'd first had as a student at Fudan University years before. He found several Microsoft security flaws and reported them to the company directly before a friend told him about "vulnerability buying" programs like ZDI. "From that time on, I became a full-time bug hunter," he says.
The hunt has been fruitful. ZDI has paid Wu at least $5,000 for each of the 50 bugs it's bought from him, and iDefense has on occasion paid more than $10,000 for a single flaw. Wu won't say just how much those rewards have added up to, though some simple math shows they go well beyond a quarter of a million dollars--a tidy sum in China. ZDI has also awarded Wu "platinum status," a title that comes with a $20,000 bonus and a free trip to the Black Hat security conference in Las Vegas.
The idea of hundreds of critical security bugs in the hands of a mainland Chinese researcher might worry some in the wake of several widespread cyber espionage networks recently linked to China. The very public hacking of Google, Juniper, Intel, Yahoo and several other companies by cyberspies seemingly based in the country, for instance, used a flaw in Internet Explorer that could have been found with techniques similar to Wu's.
But Wu says that he has sold bugs only to those that "don't do evil" and report the bugs directly to software vendors. For some Internet Explorer bugs, he says he's had offers of 10 times ZDI's bounty from black-market buyers. But moral questions aside, Wu wants none of the risks that come with criminal associations.
Even so, the sheer numbers of vulnerabilities that Wu has found may be troubling, particularly in Apple's software. Wu says that he focuses on Apple's flaws because it's clear that the company hasn't. (Apple did not immediately respond to a request for comment.)
While Microsoft has been busy hardening its software against a decade of attacks--Wu cites threats like the Code Red worm that spread to hundreds of thousands of computers in 2001 and defaced websites with the phrase "Hacked By Chinese!"--Apple has enjoyed complacent years of being ignored by cybercriminals.
But Wu says that lull can't last. The rise of targeted attacks, for instance, has meant that Apple's smaller market share can no longer shield the company from dealing with security issues. "The iPhone and Mac OS are much easier to attack than Windows 7," he says. "I think in the future there will be a lot of attacks on Apple's software."
In other words, Apple's turn to be "hacked by Chinese" may come soon enough. And not all of them will be as charitable as Wu Shi.
Source: http://sg.news.yahoo.com/forbes/20100720/ttc-what-this-chinese-hacker-could-teach-2aa1c1a.html
Thursday, August 05, 2010
Wednesday, June 30, 2010
Tuesday, June 29, 2010
His one month pay is more than my annual pay WTF
Standard Chartered Plc was ordered by Singapore’s High Court to pay Fermin Aldabe for wrongful dismissal after the lender’s global senior risk manager said he would resign on his first day on the job.
The London-based bank must pay Aldabe at least S$40,333 ($29,384) including one month’s salary of S$27,500 and his wage from Nov. 17 to Nov. 30, 2008, Justice Steven Chong said in his judgment yesterday. Aldabe was fired after saying he’d resign when told he wouldn’t be paid for a two-week period before the start date stipulated in his offer letter.
More here
The London-based bank must pay Aldabe at least S$40,333 ($29,384) including one month’s salary of S$27,500 and his wage from Nov. 17 to Nov. 30, 2008, Justice Steven Chong said in his judgment yesterday. Aldabe was fired after saying he’d resign when told he wouldn’t be paid for a two-week period before the start date stipulated in his offer letter.
More here
Results are out, pleased with my performance.
After waiting for a month ...
Now waiting for another negotitations.
Now waiting for another negotitations.
Monday, June 21, 2010
IT 心声
Long hours
Long hours are a given in IT. Long hours in IT were an issue even before the economy tanked, causing more people to be laid off and the remaining staff forced to take on more responsibility. Some of the long hours are due to the nature of the work, but sometimes they’re due to the way you work. There are tons of sources out there that give good time management advice and teach you how to use your time more wisely. I’ve heard good things about Getting Things Done: The Art of Stress-Free Productivity.
Lack of respect
While the CIO may feel a lack of respect in the boardroom, IT staffers are often faced with it every day. Help desk personnel will occasionally get the appreciative end-user but many times they’ll be treated as though they invented the technology that is causing the end-user problems.
Network administrators are usually below the radar, only showing up when the system goes down. People rarely recognize the time the system is up. In other words, the more successful a net admin is at the job, the lower his or her profile.
No recognition
Probably the complaint I hear most often from TR members is that they don’t feel they are rewarded properly. In a bad economy, raises and promotions aren’t forthcoming. Even despite these factors, IT can be a thankless job. After all, you’re not out there doing the things that get attention like other departments (e.g., Sales gets the glory if they land a big account). Savvy bosses will constantly sing the praises of their staffers. It’s the best way to get the IT department on the radar.
But if they don’t, you need to do it yourself. Throughout the year you should log your wins and keep track of the metrics that show you’re doing your job. Take the highlights of this and include them in your yearly review. I understand self-promotion is hard for IT pros who just want to do their jobs and not worry about their images, but if you don’t, you’ll be hit by another stressor:
Politics
I don’t care who you are or where you work, you will encounter people who seem to work less, but have more political clout. It’s infuriating but it shows the power of marketing oneself.
Source
Long hours are a given in IT. Long hours in IT were an issue even before the economy tanked, causing more people to be laid off and the remaining staff forced to take on more responsibility. Some of the long hours are due to the nature of the work, but sometimes they’re due to the way you work. There are tons of sources out there that give good time management advice and teach you how to use your time more wisely. I’ve heard good things about Getting Things Done: The Art of Stress-Free Productivity.
Lack of respect
While the CIO may feel a lack of respect in the boardroom, IT staffers are often faced with it every day. Help desk personnel will occasionally get the appreciative end-user but many times they’ll be treated as though they invented the technology that is causing the end-user problems.
Network administrators are usually below the radar, only showing up when the system goes down. People rarely recognize the time the system is up. In other words, the more successful a net admin is at the job, the lower his or her profile.
No recognition
Probably the complaint I hear most often from TR members is that they don’t feel they are rewarded properly. In a bad economy, raises and promotions aren’t forthcoming. Even despite these factors, IT can be a thankless job. After all, you’re not out there doing the things that get attention like other departments (e.g., Sales gets the glory if they land a big account). Savvy bosses will constantly sing the praises of their staffers. It’s the best way to get the IT department on the radar.
But if they don’t, you need to do it yourself. Throughout the year you should log your wins and keep track of the metrics that show you’re doing your job. Take the highlights of this and include them in your yearly review. I understand self-promotion is hard for IT pros who just want to do their jobs and not worry about their images, but if you don’t, you’ll be hit by another stressor:
Politics
I don’t care who you are or where you work, you will encounter people who seem to work less, but have more political clout. It’s infuriating but it shows the power of marketing oneself.
Source
Monday, June 14, 2010
Let me teach you a new word today "ENVY"! You shall reply with WOAH! or OMG!
More here http://www.blu-ray.com/community/gallery.php?member=THE_FORCE&folderid=2051
Tuesday, June 08, 2010
Saturday, May 08, 2010
Saturday, April 17, 2010
Thursday, April 08, 2010
Subscribe to:
Posts (Atom)