Slashdot Mirror

← Back to Stories (view on slashdot.org)

How an Aussie University Creates the World's Best Hackers

Posted by samzenpus on from the advanced-hacking-101 dept.

bennyboy64 writes "An Australian university appears to be excelling at cultivating some of Australia's best computer hackers. Following the University of NSW's students recently placing first, second and third in a hacking war game (the first place winners also won first place last year), The Sydney Morning Herald reports on what exactly about the NSW institution is breeding some of Australia's best hackers. It finds that a lecturer and mentor to the students with controversial views on responsible disclosure appears to the be the reason for their success."

76 comments

  1. Creates or attracts? by Anonymous Coward · · Score: 1

    Creates or attracts?

    1. Re:Creates or attracts? by Runaway1956 · · Score: 1

      University of Not Safe for Work? I'd say it attracts . . .

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    2. Re:Creates or attracts? by Anonymous Coward · · Score: 0

      How about a B.Sc., M.Sc. and PhD in stealing and theft. University of NSW should consider it since these are not that different with their current course. One could even justify that these degrees may help property owners to secure their properties!

    3. Re:Creates or attracts? by davester666 · · Score: 0

      Aussie == criminal

      News at 11.

      --
      Sleep your way to a whiter smile...date a dentist!
  2. Makes Sense by phantomfive · · Score: 5, Insightful

    In Universities, it turns out that the individual professors are the most important part of a quality institution. At a small university, a single quality professor can make a huge difference.

    --
    "First they came for the slanderers and i said nothing."
    1. Re:Makes Sense by Noishe · · Score: 4, Insightful

      Just as my mod points expire...

      You're absolutely correct that it's the teachers that matter and not the institution.

      Mind you, the institution also has to have the right culture in place to first attract and then tolerate the actions of teachers like this. I would also extend your point, and say that the professors matter just as much at a large university as they do at a small one.

    2. Re:Makes Sense by SessionExpired · · Score: 1

      the individual professors are the most important part of a quality institution

      I wonder if this guy teaches there. He is local, and he would have made me study EE instead of chemistry.

      --
      You want the taste of dried leaves boiled in water?
    3. Re:Makes Sense by wisnoskij · · Score: 2

      Well in a large one where you are in classes of 400 plus students, I would say that individual professors matter less that one where you are in classes of 20.

      In the first one you will not get to see him in-between classes for help (that will be left up to his army of TAs), and you will be sitting so far away your only interaction is likely to be watching the slides that his TAs prepared and listening to a speaker as he reads them.

      --
      Troll is not a replacement for I disagree.
    4. Re:Makes Sense by ceoyoyo · · Score: 1

      That's because the universities, as far as undergraduate programs go, are essentially all the same.

    5. Re:Makes Sense by dkf · · Score: 1

      Well in a large one where you are in classes of 400 plus students, I would say that individual professors matter less that one where you are in classes of 20.

      But there's no reason in principle why a single professor should give tutorials to the entire year, especially at undergraduate level where there are often multiple people in a large department who can teach the same course module. (Lectures can scale up much larger than tutorials do, but the skills for giving a lecture aren't the same as those for running a laboratory session or giving a tutorial.)

      --
      "Little does he know, but there is no 'I' in 'Idiot'!"
    6. Re:Makes Sense by Anonymous Coward · · Score: 0

      Not sure what university you went to but my 200+ class professors begged students to come to their office hours. The office hours probably were so boring because nobody went.

    7. Re:Makes Sense by jfz · · Score: 0

      And here I was thinking that it was the number of new buildings, department sizes, tennis courts, landscaping, and quantity of state certified content-crammed courses. What a shocker!

    8. Re:Makes Sense by Anonymous Coward · · Score: 0

      LOL, beware what you believe. Don't give your money to loud big mouth youtube preachers.

    9. Re:Makes Sense by manu0601 · · Score: 2

      It is true for any enterprise, whether being an university or a corporation. Things are done well or badly by humans, not by the walls that surround them, or the uniforms they wear. Policy that try to turn individuals into disposable resource might succeed at industrialize something well known, but it will starve at being remarkable.

    10. Re:Makes Sense by phantomfive · · Score: 1

      It is true for any enterprise, whether being an university or a corporation.

      Good point.

      --
      "First they came for the slanderers and i said nothing."
    11. Re: Makes Sense by Anonymous Coward · · Score: 0

      I worked as a guest professor for a 4 week section of a course plus an exam component following it last year. I also made myself available by Skype, and made sure to offer my availability for help with any issues. Wasn't contacted one time. It's kinda frustrating when you do all you can in lectures, labs and tutorials, and offer to do more (unpaid extra, mind you), and you still have students failing over relatively simple stuff just because they won't approach you.

  3. If they're so great by Anonymous Coward · · Score: 0, Troll

    How come they didn't get FIRST POST!

    1. Re: If they're so great by Anonymous Coward · · Score: 0

      The first comment on Slashdot. Ever.

  4. An eminently sensible policy by Anonymous Coward · · Score: 2, Insightful

    "We say that you should do whatever you want with the exploit. It's your vulnerability, you found it, it's your thing. You have no obligation to report it at all. In fact, reporting it can get you into a lot of trouble."

    1. Re:An eminently sensible policy by westlake · · Score: 4, Insightful

      "We say that you should do whatever you want with the exploit. It's your vulnerability, you found it, it's your thing. You have no obligation to report it at all. In fact, reporting it can get you into a lot of trouble."

      It is not your thing ---

      and it is precisely this kind of thinking that brings the hacker increasingly into conflict with society and the law.

    2. Re:An eminently sensible policy by gagol · · Score: 5, Insightful

      Going legal after people disclosing vulnerabilities got us where we are. If you are not opened to receive security status about your [system/software/network] get prepared to be hacked because you backed the very people willing to help you in a corner.

      --
      Tomorrow is another day...
    3. Re:An eminently sensible policy by Anonymous Coward · · Score: 1

      It is not your thing ---

      and it is precisely this kind of thinking that brings the hacker increasingly into conflict with society and the law.

      What they are doing is creating pure intellectual property, no different from a company patenting a gene sequence that they discovered. It is, according to direction that IP law is taking, absolutely theirs.

      Whether you believe it should be this way or not is an entirely different kettle of fish.

    4. Re:An eminently sensible policy by countach · · Score: 1

      Yeah, but nobody knows until its too late if a particular organisation is enlightened or not. Now that I think about it, responsible organisations should have a disclosure policy on their web sites. Something like "if you find a vulnerability in our systems, please report it, and there is a small reward" or something, so that people feel safe to report this stuff.

    5. Re:An eminently sensible policy by gagol · · Score: 3, Insightful

      In the beginning, people were reporting that shit. Then lawyers got involved. This is when the SHTF. Because we don't know if we are going to end in court or not, we prefer to shut up and let them bath in filth.

      --
      Tomorrow is another day...
    6. Re:An eminently sensible policy by plover · · Score: 2

      The article quotes the professor's example of a guy who revealed a flaw to a company that they were exposing hundreds of thousands of people's financial accounts. All he did was to change the user ID in his URL to some other number, which was a different person's account. He knew that his own information was at risk, and wanted the company to fix their badly written web site.

      The reward for his reporting effort was a police investigation, and the company threatened him with the liability of the costs of fixing the flaw.

      Sure, many companies will take a security report and say "oh, crap!" They'll then scurry about and fix the problem. They might say thank you, they might not. But the truth is some companies are run by total douche-nozzles who respond with threats.

      When it's a possibility that companies will respond by acting as completely irrational and irresponsible as this, the professor is doing the right thing by teaching the students "don't assume any good will necessarily come from what you've done." If you monetize the flaw by selling it, someone else assumes the risk. They might buy it to exploit it, or they might hope to turn it into a reward.

      His advice is to avoid the conflict entirely. It's amoral, but it's very practical advice that will keep you personally out of jail.

      --
      John
    7. Re:An eminently sensible policy by Anonymous Coward · · Score: 0

      "pure intellectual property"?

      Using the term intellectual property reveals you know nothing about which you speak. There is no such thing on earth.

    8. Re:An eminently sensible policy by Anonymous Coward · · Score: 0

      Westlake is a Microsoft sockpuppet. They have an axe to grind with people who expose their bugs.

    9. Re:An eminently sensible policy by Anonymous Coward · · Score: 0

      It's not amoral, and in fact, throughout history morals are just abuse of authority to control people's behaviours and actions.
      You could say ethics, but nobody can define what is ethical and not. With ethics, it's your own personal opinion and degree of self-reflection that matters.

      This is simply a perfectly valid response to threats and ignorant, if not criminal, abuse of the legal system.
      When holes in the dike is illegal to report on, or you're just too ignorant, fearful and abusive to understand when someone's trying to help you, you just ensured the next black swan event on yourselves.

    10. Re:An eminently sensible policy by EnempE · · Score: 1

      Unfortunately that practical advice goes beyond immoral. In many states it is illegal to produce a device or code that allows unauthorized access, in the others, facilitating a crime is bad juju. Selling that code will not be viewed in the best light and will destroy any chance of a defense based on lack of intent. Lord only knows what will happen if you sell your exploit to a guy, who sells it to a guy with terrorist ambitions. Talking to a CERT about it seemed like a good idea. Also it is high time universities stepped up and provided support to their students/researchers. Government talks a lot about public private partnerships in the war on cybercrime, this would be a good place to start.

    11. Re:An eminently sensible policy by able1234au · · Score: 1

      If i remember that case i think the problem was that to prove it was a problem he dumped down a large number of account details. He was responding as would a technical person to a technical problem but forgetting that these were valuable account details. It is a little like working out how to open your safety deposit box without a key and then testing it by opening up every deposit box in the bank and wondering why they were upset since you were just proving to yourself that the technique worked.

      So, agree that the company overreacted and were totally dumb in their response but i can understand their initial misguided kneejerk response.

    12. Re:An eminently sensible policy by Anonymous Coward · · Score: 0

      You do realise that sometimes, good exploits take something like several months of work to write? How is that not "your thing", if you work at it for so long? If you worked on something for several months, non-stop, and then someone tried to take it away and say it wasn't yours in the first place, how would you feel?

    13. Re:An eminently sensible policy by Anonymous Coward · · Score: 0

      However, there is such a thing in civilized society.

      Feel free to go back to your cave and try to get your fire started rubbing two sticks together....

    14. Re:An eminently sensible policy by Anonymous Coward · · Score: 1

      Duh. You won't get into conflict if you don't get caught. Society doesn't want to know about the vulnerabilities. If they wanted to know they would pay the finders instead of prosecuting them. Too many stories where someone finds a hole, reports it, then gets to trouble instead of getting praise.

    15. Re:An eminently sensible policy by Anonymous Coward · · Score: 0

      However, there is such a thing in civilized society.

      Feel free to go back to your cave and try to get your fire started rubbing two sticks together....

      Rubbing two stick together might actually work. In this "civilized" society you'd be sued because "rubbing sticks together" is patented, and you just broke the law, and stole IP, and most likely tried to burn something down in a terrorist action. Less lawyers means better society.

    16. Re:An eminently sensible policy by Anonymous Coward · · Score: 0

      Using the term intellectual property reveals you know nothing about which you speak. There is no such thing on earth.

      If a piece of software has a bug, it is a tangible thing. If I write an exploit for said bug, it is a tangible thing. Between those steps is the knowledge of the bug which is used to create the exploit. It has value, and it has no physical representation intrinsically.

      This is no different from a map to a diamond mine, or a map of a genome that tells you where your CD4 receptor is coded so you can knock the sequence out of your lab mouse and test HIV therapies. The map is a transformation of the information upon which it is based. It does not have an independent existence.

      If you have a better descriptor for this concept than 'intellectual property', I am all ears.

  5. GCHQ by Anonymous Coward · · Score: 3, Interesting

    Or maybe it's because the curriculum is designed so that Defence Signals Directorate (the Aussie equivalent of GCHQ/NSA) can go there and have a one-stop shop for their new recruits...

    1. Re:GCHQ by Anonymous Coward · · Score: 0

      The DSD don't pay enough, and don't have enough good people, to ever get the talented hacker kids in .au. DSD is a "oh shit, I didn't get a good job" kinda place.

    2. Re:GCHQ by Anonymous Coward · · Score: 0

      This isn't true, DSD has great success in hiring talented hacker kids.
      Retention is the main problem, government agencies are terrible at keeping technical staff longer than a couple of years. Once they've soaked up the great training available they head off to the private sector (often Google or Facebook).

    3. Re:GCHQ by Anonymous Coward · · Score: 0

      BULLSHIT. As someone that regularly interacts with DSD the amount of quality technical individuals are extremely limited their, however the ones that think they are knowledgeable are abundant supple in that place. I have been truly stunned many times with some of the lack of understanding of even basics by their supposedly quality staff.

  6. Good by benjfowler · · Score: 0, Flamebait

    Nice to see the good guys get ahead for once. A world run by the likes of Russia, China or the Muslims would be hell, and we need to be prepared.

    1. Re:Good by Anonymous Coward · · Score: 2, Funny

      You sir get the off-topic redneck award of the day.

    2. Re:Good by Anonymous Coward · · Score: 0

      It isn't "love" when all he's doing is banging a piece of meat that he bought and paid for. Instead of "making love" he is "venting frustrations".

  7. the University of NSFW? by Anonymous Coward · · Score: 1

    No wonder they have so many 24x7 hackers...

  8. Part of it is that they've been at it for a long . by Coeurderoy · · Score: 4, Interesting

    Part of it is that they've been at it for a long time... http://en.wikipedia.org/wiki/Lions'_Commentary_on_UNIX_6th_Edition,_with_Source_Code Lions was at the UNSW, getting student to have access to code seems to be a tradition there. I also met a couple of very talented people who got their degrees there in the late 70's early 80's and worked with some of them... It just shows that the right way to run an university is not to worry too much about the curriculum and do the unexpected, even the vaguely illegal. BTW it seems the equivalent document he wrote about the pdp11 unix C compiler is not avaiable, it's sad it was very interesting.

  9. Australian schools have magic by Anonymous Coward · · Score: 2, Funny

    As I learned from this video last year. It's a snap.

  10. Five Deadly Venoms by Anonymous Coward · · Score: 0

    Did anyone reading TFA think of old martial arts films where star pupils turned to the dark side?

  11. beware of grubb the scrub... by Anonymous Coward · · Score: 0

    Arguing that college level war games somehow measures who does and doesnt have the best hackers is mildly retarded, Then of course, it's probably noteworthy that the contest they're referring to, isnt a world competition, but rather an inter-aussie competition. Furthermore, it's a bunch of web apps.. so apparently the easiest way to defeat these super hackers is to ... turn off your webpage!

    Finally, tying it into any stance on responsible disclosure is just overly retarded, the idea that any level of morality or lack thereof in a subject that is inherently highly technical just smacks of dumb.

    Oz does have some of the worlds best, Dowd and Ceasare immediately come to mind. This is just fluff cruft from a journalist and a good exemplification of why you can safely ignore everything in the news relating to hacking generally.

    Full rankings, inclusive of the ALL aussie contestants found here:
    https://scoring.cyberchallenge.com.au/index/ranking

    1. Re:beware of grubb the scrub... by Anonymous Coward · · Score: 0

      The Fionbhar guy in the article works at Dowd's company, as per the article, and http://www.azimuthsecurity.com/about.html

  12. Cracker by Anonymous Coward · · Score: 1, Informative

    Cracker, not hacker. Goddammit, /. of all places should be able to get this right.

    1. Re:Cracker by Runaway1956 · · Score: 1

      I thought crackers cracked games and applications. Hackers do stuff more like the people in the article are doing - penetration testing. Most hackers can likely crack a DRM'd game too.

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    2. Re:Cracker by phantomfive · · Score: 2

      FYI that ship sailed decades ago.

      --
      "First they came for the slanderers and i said nothing."
    3. Re:Cracker by CurunirAran · · Score: 1

      A 'Cracker' is somebody who finds exploits and security holes in applications and then uses them for illegal purposes. Cracking applications is just a small subset of that. Hackers are basically do what you said. The Grandparent is incorrect in its definition of crackers and hackers.

  13. Australia huh? by interval1066 · · Score: 0

    What do they all do, move to Croatia as soon as they graduate?

    --
    Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
    1. Re:Australia huh? by nzac · · Score: 1

      Its the Sydney Morning Herald, they have a low journalistic standard.

  14. Makes Sense: Robin Williams. by Anonymous Coward · · Score: 0

    So this guy is a modern day Dead Poets Society?

  15. Best of world? by Njovich · · Score: 1

    It's a national CTF for some australian schools. Wake me up when they win iCTF and Defcon in the same year.

    What's next, call the junior ice skating winner in the Australian nationals the best ice-skaters in the world without further evidence?

    1. Re:Best of world? by joseph90 · · Score: 1

      kinda like the world series baseball, eh? ;-)

    2. Re:Best of world? by Anonymous Coward · · Score: 0

      1) It's a stupid name from 100 years ago

      2) The best players in the world play in the MLB (*)

      3) There is a team in Canada

      *) Baseball is popular in North and South America, the Caribbean, and East Asia. Many of the best players are from places like the Dominican Republic, Venezuela, and Japan. Just because a sport isn't popular in Europe (home of "World War" I, if you recall) doesn't mean it isn't popular elsewhere.

    3. Re:Best of world? by Anonymous Coward · · Score: 0

      Woah...relax. I think the point the parent was making about baseball is that nobody of significance (apart from USA) plays your boring game.

    4. Re:Best of world? by Anonymous Coward · · Score: 0

      Actually the point was the Americans can their domestic baseball competition the "World" championship.

      Kinda like how Miss Universe doesn't feature any one from outside of Earth...

  16. Richard Buckland by dingen · · Score: 1, Informative

    I'm surprised Richard Buckland isn't mentioned anywhere. He's supposed to be *the* superstar comp sci lecturer at UNSW, right? And I do believe he has a keen interest in security too. Hmm... that gets me thinking, maybe "Fionnbharr Davies" is an alias. It sounds fake anyway.

    --
    Pretty good is actually pretty bad.
    1. Re:Richard Buckland by DpEpsilon · · Score: 1

      Yeah, he's that one professor that probably makes UNSW a good security university.

    2. Re:Richard Buckland by Anonymous Coward · · Score: 0

      This may be true for Security, but UNSW also has a fantastic Systems Group which is in large part due to the hard work of Kevin Elphinstone and Gernot Heiser. Who also practice very hands on learning. UNSW undergraduates write a fully working operating system, Cambridge undergraduates talk about it.

    3. Re:Richard Buckland by Vylen · · Score: 2

      Richard Buckland is currently working on internet voting and the security involved around that.

      Fionnbharr Davies is actually an ex-student of Richard.

      I know this being a UNSW graduate and a student of Richard as well :)

      Fionnbharr was quite the unusual character but quite devoted to his studies cause he just found it fun. No surprises here that he enjoys lecturing for the same reasons!

    4. Re:Richard Buckland by Anonymous Coward · · Score: 2

      Richard Buckland is currently working on internet voting and the security involved around that.

      Fionnbharr Davies is actually an ex-student of Richard.

      I know this being a UNSW graduate and a student of Richard as well :)

      Fionnbharr was quite the unusual character but quite devoted to his studies cause he just found it fun. No surprises here that he enjoys lecturing for the same reasons!

      Richard Buckland is the one who organises these courses; He gets Fionnbharr and Brendan to run them.

    5. Re:Richard Buckland by Anonymous Coward · · Score: 0

      UNSW alumnus here.

      Fionnbharr isn't Buckland. Buckland's security course was pretty awesome too though, not sure if he's still teaching it..

    6. Re:Richard Buckland by Anonymous Coward · · Score: 0

      Last I heard Richard was quite ill.

    7. Re:Richard Buckland by Xest · · Score: 1

      "It sounds fake anyway."

      No actually, it sounds celtic.

  17. quantum computing by Anonymous Coward · · Score: 0

    University of New South Wales seems to be producing a lot of quantum computing breakthroughs too.

  18. Good Students and Good Security Program by DpEpsilon · · Score: 1

    So, in general, through all the high school programs that UNSW has available, I'd say it attracts the best students. It just so happens that I know a decent proportion of the students that participated in this competition and I know that they had a keen interest in computer science; so these are the better, more experienced, more enthusiastic students we're talking about here.

    Also, UNSW's main security course, COMP9447, is cited as being a good course by people I know who've done it and is very popular amongst the students: They extended the enrollment in the course for this semester at least once (not sure by how much) and there are still many students who missed out.

    1. Re:Good Students and Good Security Program by Anonymous Coward · · Score: 0

      CS9447 is the course that Fionnbharr and Brendan run, and the one which all these students came from.

  19. Other Unis by Anonymous Coward · · Score: 0

    He said his courses are very different from the typical IT courses at other universities. ... "They're all taught by these academics who have never hacked a thing in their life," he said. "The students are good, it's just the teachers ...

    Reminds me of my IT Security degree from Deakin University in Melbourne, Victoria. What a waste, I could have done a law degree. SIT at Deakin is a joke.

  20. We need more hackers by DMJC · · Score: 1

    We need a LOT more hacking. As Shodan shows us with the amount of physical infrastructure being put online, we need to keep hacking the shit out of everything until these bad security practices are ended once and for all. Moronic companies and governments are putting everyone at risk of outside cyber warfare. Imagine if someone started attacking major power plants. Individual hackers need more freedom to break into systems IMHO, and government departments and companies need to start being fined for vulnerability breaches.

  21. Am I the only one... by rbprbp · · Score: 1

    ... who parsed this as 'University of NSFW'?

    --
    They're there in their room. You're on your own.
  22. Bah, University of NSW by Anonymous Coward · · Score: 0

    I learned my rad skills at the University of NSFW