CCTV NEWS: 赵克锋：The good

采访视频连接：http://english.cntv.cn/program/china24/20130924/104751.shtml

Asia's premium cyber security conference has opened in Beijing. The event, known as Syscan, gathers the industry's top professionals from all over the world to address the challenges in a mobile age. Full story >>

Now for more on the topic, we're joined on the phone by Professor Zhao Kefeng from the department of economics at Shanghai University of Finance and Economics.

Q1: For average folks, there's always a curtain of mystery over computer hackers. Now help us out here, how do you differentiate between the hackers who help companies identify security loopholes as opposed to the ones that exploit them.

A1：Many people in the industry like to use the terms "black, white and grey hats" to differentiate between hackers. These terms are value-loaded, however. This is because if we say hackers who "do the right thing" as the white hats, and those who do the opposite as black hats,  then we must ask what assumptions we use when we say something is right. For example, many hackers believe that exposing security problems, even with enough information to exploit the holes, is ethically correct and anything less is irresponsible. This is often referred to as "full disclosure". Other hackers believe that giving enough information to exploit the problem is wrong. They believe that problems should be disclosed to the software vendor ONLY and that anything more is irresponsible. Both of these opposing groups think that they are the white hats.
The term "grey hat" finally emerged to fill the gap, to say that no hackers are clearly black or white. In the professional circle, however, the sort of things considered grey largely center on the pros and cons of "full disclosure" we mentioned before. Some hackers believe that it is unethical to report security holes to the public without waiting for the vendor to patch the problem. Some hackers think that not notifying vendors will force them to be more proactive about auditing their code. Some hackers just don't like the vendor in question, and intentionally cause maximum pain to the vendor. As a vendor, you should always be prepared for the worse case scenario.

Q2: The incident of Edward Snowden has brought to light the issue of organized hacking by governments? Here's a question probably privy only to insiders, just how much of the hacking is perpetrated by governments?

A2: Hacking is but one way of spying. Spying is everywhere, now and in the past. Every nation puts significant resources into this or the prevention of this. The scale of organized hacking by government is as meaningful as the volume of it. This is because one government can go deeper as needed especially if it has already casted a net wide enough.
A stronger state might force the key players in the telecommunication and computer industry to share information with the government; a weaker state might lure such players into doing this. Commercial hackers differ because they do not have access to the sharing on such scale. Always watch your back if you do something online.