Guest: Yu Yang (AKA: Tombkeeper, TK教主)
Tombkeeper is the founder of Tencent Security Xuanwu Lab, member of the Advisory Committee of Cyberspace Security Teaching in Higher Education, member of the Cybersecurity Expert Advisory Group of ICSTC of MIIT, and member of the Cryptography Standardization Technical Committee. He has received the CNCERT/CC's "Olympic Information Security Support Individual First-Class Award" and the "Outstanding Young Engineer Award" from the ISEFC. Tombkeeper is one of the three global winners of the Microsoft Mitigation Bypass Bounty and Bounty for Defense Program, winning a grand prize of $100,000. He is the only nominee from Asia for "Most Innovative Research of Pwnie Awards" in its ten-year history.
Hosted by Sam Ng (aka: Bra)
Founder of ServBay, Secken and DNSPod, former General Manager of the SME Product Center at Tencent Cloud, cybersecurity expert, domain and DNS technology expert, webmaster, China Europe International Business School (CEIBS) EMBA.
Bra:
Having graduated from medical school, the normal path for you would have been to become a doctor healing the sick. Yet, now you've become a tech guru in the field of cybersecurity, known in the hacker community as the "Saint Gynecologist." What made you give up medicine to pursue cybersecurity? Is there any common ground between the two?
Tombkeeper:
Both cybersecurity and medicine interest me as facets of technology, so I don't see a significant difference between the two. The main reason I chose cybersecurity over medicine is the accessibility of research conditions. While medical research requires extensive resources, all you need for cybersecurity is a computer. In fact, medicine is akin to the cybersecurity of the human body, and cybersecurity is like medicine for computers.
There are many similarities, such as the need for diagnosis in both fields, where the thought processes involved share common ground. Additionally, just as cybersecurity products build defenses based on attack characteristics, vaccines are developed based on the characteristics of pathogens.
Bra:
The recent news about Jiuzhang quantum computer has attracted widespread attention, suggesting that quantum computing's immense power might bring about a new revolution in information technology. Do you think the advent of quantum computing could render current security mechanisms obsolete? How do you view the future direction of security technology in light of this?
Tombkeeper:
Currently, the most significant threat quantum computing poses to cybersecurity is the potential to crack asymmetric encryption. If quantum computing becomes practical, existing algorithms like RSA could become vulnerable. However, there's no need for alarm as defense technologies, such as post-quantum cryptography, which are resistant to quantum computing attacks, have already been under research, offering many alternative solutions.
It's crucial to switch to post-quantum cryptography well before practical quantum computers are developed, as attackers could store encrypted data now to decrypt it once quantum computing is available. Therefore, we need to predict when practical quantum computers will emerge and switch to post-quantum cryptography well in advance to ensure the data's value is diminished by the time it becomes decryptable.
Bra:
A few months ago, you discovered a system security flaw in the MacBook Air equipped with the M1 processor that allowed root access to be obtained in seconds. This was the first discovered vulnerability affecting Apple Silicon chip devices. Can you share how you and your team quickly and accurately found this vulnerability? And what advice do you have for Apple fans?
Tombkeeper:
This vulnerability wasn't discovered after the M1 version MacBook Air was released. We found it earlier and realized it affected not only macOS but also iOS, suggesting it might also impact the M1 MacBook Air. Our tests confirmed this after the device's release. The discovery and handling of this vulnerability were primarily between vulnerability researchers and product developers. Apple fans should treat it as tech news, stay informed, and ensure their systems are promptly updated without undue concern.
Bra:
Security is paramount in the development and deployment of systems, yet the investment in security must balance time and human resource costs, especially for small and medium-sized enterprises where cost control is critical. How can one assess if a system's security is adequate? Is there a "passing grade" for security? What are your recommendations?
Tombkeeper:
The extent of security protection needed is related to the threats faced, which in turn depends on the attacker's interest level. Large companies, with more data and higher value, naturally attract more interest from attackers. However, interest from attackers doesn't always correlate directly with company size; for example, cryptocurrency-related businesses may not be large but are highly attractive to attackers, facing significant threats.
It's challenging to precisely evaluate whether a system's security is sufficient. However, compared to Western countries, the proportion of network security investment in IT costs among Chinese companies is relatively low.
Bra:
You once quoted Woon Swee Oan: "If a person wants to assassinate another, as long as they are patient enough, ruthless enough, and choose the right moment, even the most skilled person cannot defend themselves." In your view, does this mean all systems have flaws? What's the biggest challenge in security, and how should we approach it?
Tombkeeper:
When we evaluate a system's security, we look at the current moment without considering the dimension of time. However, attackers do not necessarily need to succeed right now; succeeding within three months, a year, or two years is still a victory for them.
Over such periods, new vulnerabilities could emerge, new attack methods could be developed, or attackers could infiltrate through the supply chain. The biggest challenge in defense is not just battling technology but also time. The most difficult part of security isn't achieving a high level of security at a specific moment but maintaining long-term security over an extended period.
Bra:
Recently, a girl in Chengdu(capital of Sichuan province) diagnosed with COVID-19 was cyberbullied, with her name, ID number, home address, and photos leaked and widely circulated online. From a cybersecurity perspective, how do you view this incident? How do you ensure the information security of ordinary people?
Tombkeeper:
First and foremost, this is an issue of management and human error. Those who had access to the data leaked it, highlighting the need for better education and management of relevant personnel. Technologically, however, we should also reflect.
For example, courier slips used to display all sender and recipient information, but many courier companies have started addressing this issue. Similarly, ride-hailing drivers used to see passengers' phone numbers directly in the system, which is no longer the case. While collecting personal information is necessary for epidemic prevention, is it possible to limit direct access to such information? Technological improvements could address this issue.
Bra:
The cybersecurity field is always in demand, seemingly valuing more experienced practitioners as "aging like fine wine." As one of the top security teams, what is the average age of Xuanwu Lab's team? Do you, as leaders in the field, also experience age-related anxieties?
Tombkeeper:
Most members of Xuanwu Lab joined through campus recruitment, making our team quite young, with an average age of under 30. The cybersecurity industry requires experience and accumulation of knowledge. Many IT jobs can be broken down and operated like manufacturing, but security often demands a holistic understanding.
The value of veteran engineers in this industry is irreplaceable. I'm the oldest in the team, yet I still directly contribute to the lab's work. For example, our research on fast charger security began with my preliminary work. When the team reported a lack of success after some time, I pointed out that they had indeed succeeded; they just needed to adjust their technical approach based on a more systematic understanding of security. I believe the young people in our team will continue to play significant roles in the industry as they reach my age.
Bra:
Your team explores a wide range of areas, from software to hardware, from applications to networks, mastering them all. How do you and your team choose your "next" target? For unfamiliar fields, do you worry about investing too much without achieving results?
Tombkeeper:
Our research principle is value-driven, practicality-oriented. When selecting research directions, we consider the value to Tencent and society. About 60% of our work directly serves Tencent's business, though this is generally not visible to the public due to the nature of security work. The remaining 40% is societal-focused, which is more visible. Security research requires continuous learning, so unfamiliar fields are not an issue for us.
For instance, some team members who worked on the fast charger research had no prior hardware experience before joining Xuanwu Lab. Research inevitably involves the risk of failure, but we manage this risk through thorough preliminary research, regular reviews, and timely cessation. The most crucial aspect is the initial feasibility assessment of our targets. Since its establishment, Xuanwu Lab has only chosen the wrong direction "0.5 times," because even though one project didn't achieve the expected results, we published a blog detailing why it was unfeasible, which proved valuable to researchers in related fields and was even cited in a top conference paper.
Bra:
Leadership style determines team style. Not only is your team capable of anything, but you yourself are a polymath—a "jack-of-all-trades" in cybersecurity with a medical background, able to crack jokes, and boasting tens of thousands of followers on Weibo and Zhihu. Can you share your learning experience with young people? How do you excel in your field?
Tombkeeper:
I indeed have a wide range of interests, but not everyone needs to. Everyone has their unique strengths and personality traits. By leveraging these, one can excel in their team and find their place in society. Learning boils down to the ability to acquire and absorb information, so it's worth focusing on developing these skills, such as learning to use search engines effectively and reading quickly. Improving these abilities will facilitate learning across various domains.
Bra:
Over the past decade, China's internet has evolved from the "ancient times" to a more civilized era. As someone who has experienced and witnessed this transformation, how do you think the battle for cybersecurity in China has changed technically over the past ten years? What do you foresee for the next decade in cybersecurity development?
Tombkeeper:
This is a vast topic, so I can only touch on it briefly here. The logic behind cybersecurity changes can be summarized as evolving with digital technology and driven by the dynamics of offense and defense. The past decade saw the shift from desktop to mobile and from endpoint to cloud, leading to a focus on mobile and cloud security. The emergence of ransomware, supply chain attacks, and other new threats also shifted the cybersecurity focus. The next decade will likely follow this logic. If we consider 5G, AI, and IoT as the direction of digital technology in the next ten years, then the development of cybersecurity will undoubtedly relate to these areas.
Bra Asks Tombkeeper: From 'Saint Gynecologist' to Elite Hacker, The Legendary Journey of a T5 Tech Wizard
Thanks for reading.
If you are interested in more information, follow Bra's X(Twitter)
Top comments (0)