About FEI-FEI WU (FEEI)
君不见,黄河之水天上来,奔流到海不复回。
君不见,床头明镜悲白发,朝如青云暮成雪。
人生得意须尽欢,莫使金樽空对月。
天生吾徒有俊才,千金散尽还复来。
Hi, I’m Fei-Fei Wu, aka Feei, a cybersecurity researcher based in Hangzhou, China. I love my work and the city of Hangzhou deeply.
I’ve been interested in Hackers since childhood because they can give an ordinary person superpowers, just like Elliot in Mr. Robot and Neo in The Matrix.
When I was little, a company owed my family’s factory money, so my dad took their computer home as collateral. I clearly remember that, since we didn’t have broadband, I saved up money to buy a USB wireless network card from a computer store, put my mom’s SIM card in it, and used it to get online, spending several hundred on phone bills. It was from that computer with the bulky CRT screen that I started experimenting.
At first, I was addicted to games and began using cheats to hack them. I then tried to develop other game cheats using E-Yu language, and later learned Visual Basic. Once I gained development skills, I started writing remote control software to prank my friends. I also began self-studying various hacking techniques, gradually stepping into the field of cybersecurity.
But my journey as a hacker hasn’t been smooth sailing. When I first started working, there were few job opportunities in cybersecurity. At that time, I was a software development engineer, while spending all my free time exploring cybersecurity. I learned various exploitation techniques on vulnerability platforms like WooYun and others. My programming skills set me apart from other hackers at the time, allowing me to better understand the exploitation, discovery, and patching of vulnerabilities. I also developed automated exploitation tools to discover vulnerabilities in bulk. This helped me advance ten pages in the WooYun platform ranking in just ten days, and I once gained control over many top-tier internet companies in China.
At the same time, during my time as a programmer, I began developing security products to support business needs, leveraging my understanding of security. These included browser-based ActiveX security controls using digital certificates, real-name authentication systems, and jump servers. Later, I became the company’s first security engineer, marking the beginning of my journey in cybersecurity.
During my time as a full-time cybersecurity engineer, I had two long-term work experiences, both involving the e-commerce, banking, and payment industries. These experiences were part of a progressive security development process.
During the first five years, I witnessed the complete security development process of an internet e-commerce company, from a startup to a NASDAQ-listed company. I progressed from being the first security engineer to becoming the head of security.
During the second five years, I worked with MyBank (Ant Group) as an architect, and second-in-command, I was involved from the ground up in building the bank’s financial-grade security team and system. I was deeply involved in the construction of multiple security areas for digital banking, leading efforts in application security, mobile security, infrastructure security, threat intelligence, incident response, and security product development teams. This has laid a solid foundation for establishing financial-grade security.
I’m currently part of the security team at Alipay (Ant Group), which has a complex and massive financial technology business with sensitive data of billions of users and trillions of transactions. As a result, there are inherently high demands for network security. The company invests hundreds of millions of RMB annually in cybersecurity and has experts in various specialized fields. Alipay offers competitive salary packages, ranging from several hundred thousand RMB for campus recruits to several million RMB for experienced hires, with smooth career advancement opportunities.
Here, we are dedicated to building a world-class security system, creating security concepts, practices, products, and vulnerabilities that benefit the industry. If you are passionate about making a difference in the security industry, we invite you to join us!
If you’d like to learn more about me, you can find additional details about my experiences in my article, “Stand out in the Sea of Resumes“.
I’m happy to discuss anything related to my written content with you. Emails allow for deep thinking and more focused discussions compared to instant messaging tools, so don’t add my WeChat account, just email me feei#feei.cn!
Speech
- 27/11/2023, Shanghai, EISS, Building a Trusted Defense-in-Depth System Based on Native Security Paradigm
- 19/08/2022, Shanghai, BDIE, Exploring Security Challenges and Responses in Bank Digital Transformation
- 22/11/2019, Shanghai, EISS, Thoughts on Cloud Security
- 22/10/2019, Chengdu, INSEC World, Practices in Internet Banking Security Construction
- 29/05/2019, Shanghai, BUTIAN Whitehat Conference, Attack-Defense Drills and Security System Construction in CII
- 22/03/2019, Shanghai, CISO Annual Meeting, Latest Practices in Human-Machine Recognition
- 30/11/2018, Shanghai, EISS, MOGU’s Human-Machine Recognition System Practices
- 19/09/2018, Xi’an, SSC, A Practice of Removing Passwords for Security
- 26/01/2018, Hangzhou, Security+, GitHub Sensitive Information Leakage Monitoring
- 24/11/2017, Shanghai, EISS, Corporate Security Architecture Practices
- 16/04/2017, Beijing, QCon, Static Code Analysis in Enterprises
Publication
《网络安全面试指南》
多年来筛选了数以千计的简历,为什么很多人连面试机会都没有?参与了数以百计应聘者的面试,为何如此多的人没有通过最终面试?在面试过程中,能力固然重要,但我也见过许多能力不亚于已经入职同事的人却未能成功应聘。那么,如何才能在面试中顺利通过呢?
本指南旨在为网络信息安全领域从业者提供一份全面的面试指南。我将从行业、企业和从业者的角度来介绍当前情况,分享面试和招聘经验。指南将围绕各个细分安全领域的体系、实用且高质量的题库和思路提示展开,以便你能够更加全面系统地理解和吸收各种经验。
《金融级IT架构:数字银行的云原生架构解密》
网商银行技术团队出品
《安全平行切面:数字数代的原生安全架构》
蚂蚁集团安全团队出品
《数字银行可信纵深防御》
网商银行安全团队出品
《数字银行安全体系构建》
网商银行安全团队出品
About FEEI.CN
About Cybersecurity Content
本站涵盖了网络安全(应用/移动端/云/基础设施/情报/威胁对抗)、数据安全与隐私保护、AI安全等领域的深度内容,涉及漏洞挖掘、红蓝实战演练、安全产品研发、企业安全建设、安全团队管理等多个方面。安全是个跨学科的专业,对知识面要求极广。通过Security PPT学习了上万份各个企业、安全会议的专家们分享的安全经验,以及从各类安全书籍、白皮书以及与各个专家的探讨交流,并结合自己多年在网络安全方面积累的经验。沉淀一份网络安全知识。包括从面试、安全团队管理到安全体系建设的方方面面的实践经验。
Open
安全是奢侈的,安全的经验是昂贵的,但安全不应该靠神秘维持。从行业角度来看,网络安全对于大部分企业来说是奢侈的,多数企业仅能够投入有限的资源进行建设。由于攻防不对等以及威胁对抗技术的持续升级,导致我们无法使用一套固有的方案去长期应对所有风险,因此获得业界最新的安全理念、安全架构、安全技术以及安全实践对于提升网络安全防御水位至关重要。然而,在当前这并不是很容易实现,虽然能看到大量的安全书籍、安全分享,但都是单点的、细节的以及不及时的。对于多数企业来说,核心安全技术很难被公开。但我认为安全不应该是封闭的,不应该依靠神秘感去打造高端形象,应该是开放共享的,并持续保持迭代优化。只有如此,才能让我们立于不败之地。这就是推动我投入时间精力维护这个站点的初衷,希望能让安全知识普惠,让每一个从业者都能低成本获得最新的安全知识。
Up-to-date
语雀非常适合作为体系化知识管理,但并不适合作为博客。作为在公司每天都需要使用的软件,语雀确实非常适合我,优秀的编辑器体验、简洁的外观以及方便的多人协作,树形知识库更加适合知识类型的沉淀。我也使用了好几年,但最终还是回到了Wordpress。首先不支持自定义域名,导致在SEO上很吃亏,自然流量很少。自定义程度还是比较低,比如希望有一些特别的组件或者交互形式都无法实现。因为知识体系是需要不断更新的,微信公众号的文章发布后是无法进行大改动的。成熟的才是最好的,大多数人选择的不会走弯路。和大多数人一样,建博客那些事就是一部血泪史,从最初的自己搭建、到后面的公共博客、再到基于GitHub托管,建了停停了建,也不知道是什么支撑着自己,如果减肥有这样的坚持就好了。只有都试过才知道哪个是最好的。博客是写文字的地方,所以这件事的核心是写文字和被浏览。写文字的核心是编辑器要方便、要能随时编写发布、能处理图片视频,而被浏览最关键的是要符合自己审美、大家打开速度快浏览舒服。作为技术人员对Markdown的那点坚持,总想有点技术性,写篇文章需要在本地客户端写好,把文章和图片上传到GitHub等待生成静态页面,确实不用自己搭服务器考虑稳定性问题,用Markdown写文章也确实挺好的,但真麻烦。最终回到了原点WordPress,打动我的是在Themeforest中WordPress有一个独立的菜单,里面有被大量售卖的模版,而其它CMS都在CMS一个菜单下,侧面反应了WordPress生态的成熟度。因此我挑选了一个博客模版,以前总是有点技术相轻的思想,一个模版卖几百块太贵了吧,以前自己尝试过扒一扒改改就可以自己使用了。有点类似软件的破解,钱是省了但带来但问题也很明显,他后续但迭代更新你都无法直接应用,你需要持续不断的跟进维护,这成本非常的高。不破解自己去买的话,被国内的破解产业搞的每个人潜意识就认为软件是不应该要钱的,要么破解要么靠广告或增值服务来赚钱,导致我们看到一个好软件最先想到的不是购买它而是找破解版,自己也写过很多年软件,很清楚专业和业余的差距。设计、交互、兼容性、安全、代码质量、可配置化等等,一个模版迭代了几年其中解决了多少小问题做了多少优化,再想想只卖几百块是不是很便宜了。就和一个日历软件一样,macOS中的日历可能有几十号优秀工程师维护,而各种市场上的日历可能是某个三人工作室的N个软件中的一个,短期表面使用起来可能还真体会不到区别,时间长了就会知道了。一个模版、一个软件都如此,WordPress的成熟就更显著了,在博客市场做了这么多年,你不需要担心需要自己去改造他,你将来会遇到的所有问题他都遇到并解决过,而且还有非常丰富的插件市场能让你轻松搞定SEO、表单、代码高亮、图片优化、社交分享甚至SSL。
Structured
为了自己去体系沉淀网络安全知识。如果你问我,工作这么多年在网络安全上沉淀了什么经验?我很难回答这个问题。当我意识到这个问题时,我希望做出一些改变,把我脑海中的知识变成网站知识库中的知识,我发现在这个过程中能够让我更加体系结构化、深入地去思考那些曾经模糊的知识,并通过自己的思维和语言去通俗易懂写出来,并持续不断补充完善每一个节点,保持内容始终最新可用,就像是作为一个园丁维护一个数字花园。这是一个长期的事情,也许这辈子我都会维护。哪怕没有人看也没关系,至少对于我来说是有用的,这就足够了。如果能帮到一些人,那就纯属超预期了。
Unity of knowledge and practice(知行合一)
实践过安全细节才能做好安全战略。作为安全管理者,仅仅停留在知道层面是无法真正建设好安全的,必须对每一部分有过实践才能抓住重点,才能更好的去解决对应风险,去设计切实有效的安全战略。你查到的知识和你的知识之间有巨大鸿沟,AI时代下也需要沉淀自己知识。你虽然能够通过AI查到大部分你想要的信息,但AI的信息和你的知识之间存在巨大鸿沟,就像是知道和做到一样。只有自己经历过的,甚至能传授给别人的知识才是属于自己的知识,正所谓知是行之始,行是知之城。我的个性数据(与众不同的媒体文件、观点、经验与思考)、情感表达(自己的故事与情感)、严谨的深度内容、传播影响、创意、及时性的观点,都是AI目前无法替代的。我更希望将这个站点内容打造成AI大模型可外挂的专业向量知识数据库。
使用英文主要为了提升我自己英语水平。网站使用英语,并不是为了方便母语非英语者阅读,纯粹是为了提升我自己的英语水平,也有部分原因是有些话用母语说会显得有些矫情,但英语完全没有这种问题。而提升自己的英语水平则是为了看见世界一手信息。从利己角度,这也更加容易坚持下去。
About FEEI.CN’s Cybersecurity
| Layer | Threat | Protective Measures |
|---|---|---|
| Network | DDoS/CC | Set DNS record to gov site |
| MITM | HTTPS(SSLLabs Test Score A+); HSTS; | |
| Application | XSS | Security Header(CSP/X-XSS-Protection) |
| iFrame | Security Header(X-Frame-Options) | |
| MIME Sniffing | Security Header(X-Content-Type-Options) | |
| Fronted Backdoor | Security Header(Permissions-Policy) | |
| SQLi | Change Database Prefix; No sensitive data; | |
| Brute-force login accound | Custom username; Strong password; | |
| Sensitive data leakge | DEBUG False; Disable PHP Error; Hidden PHP/Wordpress/Nginx Version; Automatic IP Blocking Vulnerability Detection | |
| Trojan/Mining/Webshell | DISALLOW_FILE_EDIT; Separate user group for static/php files, read-only permissions, no write access except in upload directory; | |
| 0day | Separate user WP-CLI mode for automatic updates of Core/Plugin/Theme to latest version; inotify www directory; Automatic IP Blocking When Web attack; | |
| Ransomware | Daily Backup of files and database to remote server; Daily backup of ECS Image; | |
| Server | Service Brute-force/Vulnerability | Only 80/443 ports opened; Automatic IP Blocking When Port Scan; Private IP Login with Key; Outbound Internet Access Restriction; |
About FEEI.CN’s Speed
| Layer | Items | Company | Config/Version | Result |
|---|---|---|---|---|
| Network | DNS | DNSPod | <60ms | |
| VPS | Aliyun | 4M, Hangzhou(South) + Beijing(North) | <15ms | |
| CDN | – | – | – | |
| Base Application | Blog Software | WordPress | Automatic Update | |
| Web Server | Nginx | 1.20.1+HTTP2 | ||
| Program Language | PHP | 8.0.30+OPCache+FastCGI Cache | ||
| Software Application | Theme | Typology | Text based with no image required | |
| Text | Lighthouse | / | ||
| Compression/Text | Minify | / | ||
| Compression/Image | Webp | / | ||
| Compression/Transmission | GZip | All file type | ||
| Async/Text | async | Statis files | ||
| Async/Media | Lazy Load | / | ||
| Cache/Browser | HTTP Cache | no-cache | ||
| Cache/Application | FILE Cache | Page/Post | ||
| Cache/Database | Redis | 3.2.12 | ||
| Other/URL Redirect | / | 0 | ||
| Other/Other domains resources | / | 0 | ||
| Speed Test | PageSpeed Insights(Lighthouse) | Performance Score | 100 | |
| Pingdom | Performance Score | 94 |
歌单: 周杰伦
いつも何度でも - 宗次郎
愛にできることはまだあるかい - RADWIMPS
夢灯籠 - RADWIMPS
三葉のテーマ - RADWIMPS
笔记 - 周笔畅
如愿 - 王菲
体面 - 于文文
海底 - 凤凰传奇
童年 - 张艾嘉
东西 - 林俊呈
卜卦 - 崔子格
后来 - 刘若英
黄昏 - 周传雄
房间 - 刘瑞琦
青花 - 周传雄
勇气 - 梁静茹
宁夏 - 梁静茹
泡沫 - 邓紫棋
城府 - 许嵩
素颜 - 许嵩
幻听 - 许嵩
花海 - 周杰伦
夜曲 - 周杰伦
退后 - 周杰伦
外婆 - 周杰伦
逍遥叹 - 胡歌
起风了 - 买辣椒也用券
春庭雪 - 等什么君
七里香 - 周杰伦
猜不透 - 丁当
不怪她 - 马思唯
忽然之间 - 莫文蔚
千里之外 - 周杰伦
我们的歌 - 王力宏
无名的人 - 孙楠
个人简介 - 安全着陆
此生不换 - 青鸟飞鱼
有何不可 - 许嵩
孤单心事 - 蓝又时
铁血丹心 - 罗文,甄妮
红色石头 - 李智楠
我欲乘风 - 安全着落
回到过去 - 周杰伦
回到未来 - Double Zhuo & Tizzy T
电台情歌 - 莫文蔚
清明雨上 - 许嵩
需要人陪 - 王力宏
灰色头像 - 许嵩
纸短情长 - 烟把儿
一生所爱 - 卢冠廷&莫文蔚
平凡之路 - 后会无期
漫步人生路 - 邓丽君
盛夏的果实 - 莫文蔚
小手拉大手 - 梁静茹
每个人都会 - 方大同
听妈妈的话 - 周杰伦
红色高跟鞋 - 蔡健雅
多余的解释 - 许嵩
最好的安排 - 曲婉婷
爱就一个字 - 张信哲
可惜不是你 - 梁静茹
会呼吸的痛 - 梁静茹
玫瑰花的葬礼 - 许嵩
有没有人告诉你 - 陈楚生
给我一首歌的时间 - 周杰伦
最远的你是我最近的爱 - 车继铃
总有一天你会在我身边 - 棱境
APT - ROSÉ & Bruno Mars
Time - 小青龙 & 辉子
August - Intelligency
Don't matter - Akon
Free Loop - Daniel Powter
Jar of Love - 曲婉婷
Plain Jane - A$AP Ferg&Nicki Minaj
Thank You - Dido
SeeYouAgain - Wiz Khalifa&Charlie Puth
Rage Your Dream - m.o.v.e
Welcome to New York - Taylor Swift