Slashdot Mirror

← Back to Stories (view on slashdot.org)

How an Aussie University Creates the World's Best Hackers

Posted by samzenpus on from the advanced-hacking-101 dept.

bennyboy64 writes "An Australian university appears to be excelling at cultivating some of Australia's best computer hackers. Following the University of NSW's students recently placing first, second and third in a hacking war game (the first place winners also won first place last year), The Sydney Morning Herald reports on what exactly about the NSW institution is breeding some of Australia's best hackers. It finds that a lecturer and mentor to the students with controversial views on responsible disclosure appears to the be the reason for their success."

40 of 76 comments (clear)

  1. Creates or attracts? by Anonymous Coward · · Score: 1

    Creates or attracts?

    1. Re:Creates or attracts? by Runaway1956 · · Score: 1

      University of Not Safe for Work? I'd say it attracts . . .

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
  2. Makes Sense by phantomfive · · Score: 5, Insightful

    In Universities, it turns out that the individual professors are the most important part of a quality institution. At a small university, a single quality professor can make a huge difference.

    --
    "First they came for the slanderers and i said nothing."
    1. Re:Makes Sense by Noishe · · Score: 4, Insightful

      Just as my mod points expire...

      You're absolutely correct that it's the teachers that matter and not the institution.

      Mind you, the institution also has to have the right culture in place to first attract and then tolerate the actions of teachers like this. I would also extend your point, and say that the professors matter just as much at a large university as they do at a small one.

    2. Re:Makes Sense by SessionExpired · · Score: 1

      the individual professors are the most important part of a quality institution

      I wonder if this guy teaches there. He is local, and he would have made me study EE instead of chemistry.

      --
      You want the taste of dried leaves boiled in water?
    3. Re:Makes Sense by wisnoskij · · Score: 2

      Well in a large one where you are in classes of 400 plus students, I would say that individual professors matter less that one where you are in classes of 20.

      In the first one you will not get to see him in-between classes for help (that will be left up to his army of TAs), and you will be sitting so far away your only interaction is likely to be watching the slides that his TAs prepared and listening to a speaker as he reads them.

      --
      Troll is not a replacement for I disagree.
    4. Re:Makes Sense by ceoyoyo · · Score: 1

      That's because the universities, as far as undergraduate programs go, are essentially all the same.

    5. Re:Makes Sense by dkf · · Score: 1

      Well in a large one where you are in classes of 400 plus students, I would say that individual professors matter less that one where you are in classes of 20.

      But there's no reason in principle why a single professor should give tutorials to the entire year, especially at undergraduate level where there are often multiple people in a large department who can teach the same course module. (Lectures can scale up much larger than tutorials do, but the skills for giving a lecture aren't the same as those for running a laboratory session or giving a tutorial.)

      --
      "Little does he know, but there is no 'I' in 'Idiot'!"
    6. Re:Makes Sense by manu0601 · · Score: 2

      It is true for any enterprise, whether being an university or a corporation. Things are done well or badly by humans, not by the walls that surround them, or the uniforms they wear. Policy that try to turn individuals into disposable resource might succeed at industrialize something well known, but it will starve at being remarkable.

    7. Re:Makes Sense by phantomfive · · Score: 1

      It is true for any enterprise, whether being an university or a corporation.

      Good point.

      --
      "First they came for the slanderers and i said nothing."
  3. An eminently sensible policy by Anonymous Coward · · Score: 2, Insightful

    "We say that you should do whatever you want with the exploit. It's your vulnerability, you found it, it's your thing. You have no obligation to report it at all. In fact, reporting it can get you into a lot of trouble."

    1. Re:An eminently sensible policy by westlake · · Score: 4, Insightful

      "We say that you should do whatever you want with the exploit. It's your vulnerability, you found it, it's your thing. You have no obligation to report it at all. In fact, reporting it can get you into a lot of trouble."

      It is not your thing ---

      and it is precisely this kind of thinking that brings the hacker increasingly into conflict with society and the law.

    2. Re:An eminently sensible policy by gagol · · Score: 5, Insightful

      Going legal after people disclosing vulnerabilities got us where we are. If you are not opened to receive security status about your [system/software/network] get prepared to be hacked because you backed the very people willing to help you in a corner.

      --
      Tomorrow is another day...
    3. Re:An eminently sensible policy by Anonymous Coward · · Score: 1

      It is not your thing ---

      and it is precisely this kind of thinking that brings the hacker increasingly into conflict with society and the law.

      What they are doing is creating pure intellectual property, no different from a company patenting a gene sequence that they discovered. It is, according to direction that IP law is taking, absolutely theirs.

      Whether you believe it should be this way or not is an entirely different kettle of fish.

    4. Re:An eminently sensible policy by countach · · Score: 1

      Yeah, but nobody knows until its too late if a particular organisation is enlightened or not. Now that I think about it, responsible organisations should have a disclosure policy on their web sites. Something like "if you find a vulnerability in our systems, please report it, and there is a small reward" or something, so that people feel safe to report this stuff.

    5. Re:An eminently sensible policy by gagol · · Score: 3, Insightful

      In the beginning, people were reporting that shit. Then lawyers got involved. This is when the SHTF. Because we don't know if we are going to end in court or not, we prefer to shut up and let them bath in filth.

      --
      Tomorrow is another day...
    6. Re:An eminently sensible policy by plover · · Score: 2

      The article quotes the professor's example of a guy who revealed a flaw to a company that they were exposing hundreds of thousands of people's financial accounts. All he did was to change the user ID in his URL to some other number, which was a different person's account. He knew that his own information was at risk, and wanted the company to fix their badly written web site.

      The reward for his reporting effort was a police investigation, and the company threatened him with the liability of the costs of fixing the flaw.

      Sure, many companies will take a security report and say "oh, crap!" They'll then scurry about and fix the problem. They might say thank you, they might not. But the truth is some companies are run by total douche-nozzles who respond with threats.

      When it's a possibility that companies will respond by acting as completely irrational and irresponsible as this, the professor is doing the right thing by teaching the students "don't assume any good will necessarily come from what you've done." If you monetize the flaw by selling it, someone else assumes the risk. They might buy it to exploit it, or they might hope to turn it into a reward.

      His advice is to avoid the conflict entirely. It's amoral, but it's very practical advice that will keep you personally out of jail.

      --
      John
    7. Re:An eminently sensible policy by EnempE · · Score: 1

      Unfortunately that practical advice goes beyond immoral. In many states it is illegal to produce a device or code that allows unauthorized access, in the others, facilitating a crime is bad juju. Selling that code will not be viewed in the best light and will destroy any chance of a defense based on lack of intent. Lord only knows what will happen if you sell your exploit to a guy, who sells it to a guy with terrorist ambitions. Talking to a CERT about it seemed like a good idea. Also it is high time universities stepped up and provided support to their students/researchers. Government talks a lot about public private partnerships in the war on cybercrime, this would be a good place to start.

    8. Re:An eminently sensible policy by able1234au · · Score: 1

      If i remember that case i think the problem was that to prove it was a problem he dumped down a large number of account details. He was responding as would a technical person to a technical problem but forgetting that these were valuable account details. It is a little like working out how to open your safety deposit box without a key and then testing it by opening up every deposit box in the bank and wondering why they were upset since you were just proving to yourself that the technique worked.

      So, agree that the company overreacted and were totally dumb in their response but i can understand their initial misguided kneejerk response.

    9. Re:An eminently sensible policy by Anonymous Coward · · Score: 1

      Duh. You won't get into conflict if you don't get caught. Society doesn't want to know about the vulnerabilities. If they wanted to know they would pay the finders instead of prosecuting them. Too many stories where someone finds a hole, reports it, then gets to trouble instead of getting praise.

  4. GCHQ by Anonymous Coward · · Score: 3, Interesting

    Or maybe it's because the curriculum is designed so that Defence Signals Directorate (the Aussie equivalent of GCHQ/NSA) can go there and have a one-stop shop for their new recruits...

  5. the University of NSFW? by Anonymous Coward · · Score: 1

    No wonder they have so many 24x7 hackers...

  6. Re:Good by Anonymous Coward · · Score: 2, Funny

    You sir get the off-topic redneck award of the day.

  7. Part of it is that they've been at it for a long . by Coeurderoy · · Score: 4, Interesting

    Part of it is that they've been at it for a long time... http://en.wikipedia.org/wiki/Lions'_Commentary_on_UNIX_6th_Edition,_with_Source_Code Lions was at the UNSW, getting student to have access to code seems to be a tradition there. I also met a couple of very talented people who got their degrees there in the late 70's early 80's and worked with some of them... It just shows that the right way to run an university is not to worry too much about the curriculum and do the unexpected, even the vaguely illegal. BTW it seems the equivalent document he wrote about the pdp11 unix C compiler is not avaiable, it's sad it was very interesting.

  8. Australian schools have magic by Anonymous Coward · · Score: 2, Funny

    As I learned from this video last year. It's a snap.

  9. Cracker by Anonymous Coward · · Score: 1, Informative

    Cracker, not hacker. Goddammit, /. of all places should be able to get this right.

    1. Re:Cracker by Runaway1956 · · Score: 1

      I thought crackers cracked games and applications. Hackers do stuff more like the people in the article are doing - penetration testing. Most hackers can likely crack a DRM'd game too.

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    2. Re:Cracker by phantomfive · · Score: 2

      FYI that ship sailed decades ago.

      --
      "First they came for the slanderers and i said nothing."
    3. Re:Cracker by CurunirAran · · Score: 1

      A 'Cracker' is somebody who finds exploits and security holes in applications and then uses them for illegal purposes. Cracking applications is just a small subset of that. Hackers are basically do what you said. The Grandparent is incorrect in its definition of crackers and hackers.

  10. Re:Australia huh? by nzac · · Score: 1

    Its the Sydney Morning Herald, they have a low journalistic standard.

  11. Best of world? by Njovich · · Score: 1

    It's a national CTF for some australian schools. Wake me up when they win iCTF and Defcon in the same year.

    What's next, call the junior ice skating winner in the Australian nationals the best ice-skaters in the world without further evidence?

    1. Re:Best of world? by joseph90 · · Score: 1

      kinda like the world series baseball, eh? ;-)

  12. Richard Buckland by dingen · · Score: 1, Informative

    I'm surprised Richard Buckland isn't mentioned anywhere. He's supposed to be *the* superstar comp sci lecturer at UNSW, right? And I do believe he has a keen interest in security too. Hmm... that gets me thinking, maybe "Fionnbharr Davies" is an alias. It sounds fake anyway.

    --
    Pretty good is actually pretty bad.
    1. Re:Richard Buckland by DpEpsilon · · Score: 1

      Yeah, he's that one professor that probably makes UNSW a good security university.

    2. Re:Richard Buckland by Vylen · · Score: 2

      Richard Buckland is currently working on internet voting and the security involved around that.

      Fionnbharr Davies is actually an ex-student of Richard.

      I know this being a UNSW graduate and a student of Richard as well :)

      Fionnbharr was quite the unusual character but quite devoted to his studies cause he just found it fun. No surprises here that he enjoys lecturing for the same reasons!

    3. Re:Richard Buckland by Anonymous Coward · · Score: 2

      Richard Buckland is currently working on internet voting and the security involved around that.

      Fionnbharr Davies is actually an ex-student of Richard.

      I know this being a UNSW graduate and a student of Richard as well :)

      Fionnbharr was quite the unusual character but quite devoted to his studies cause he just found it fun. No surprises here that he enjoys lecturing for the same reasons!

      Richard Buckland is the one who organises these courses; He gets Fionnbharr and Brendan to run them.

    4. Re:Richard Buckland by Xest · · Score: 1

      "It sounds fake anyway."

      No actually, it sounds celtic.

  13. Good Students and Good Security Program by DpEpsilon · · Score: 1

    So, in general, through all the high school programs that UNSW has available, I'd say it attracts the best students. It just so happens that I know a decent proportion of the students that participated in this competition and I know that they had a keen interest in computer science; so these are the better, more experienced, more enthusiastic students we're talking about here.

    Also, UNSW's main security course, COMP9447, is cited as being a good course by people I know who've done it and is very popular amongst the students: They extended the enrollment in the course for this semester at least once (not sure by how much) and there are still many students who missed out.

  14. We need more hackers by DMJC · · Score: 1

    We need a LOT more hacking. As Shodan shows us with the amount of physical infrastructure being put online, we need to keep hacking the shit out of everything until these bad security practices are ended once and for all. Moronic companies and governments are putting everyone at risk of outside cyber warfare. Imagine if someone started attacking major power plants. Individual hackers need more freedom to break into systems IMHO, and government departments and companies need to start being fined for vulnerability breaches.

  15. Am I the only one... by rbprbp · · Score: 1

    ... who parsed this as 'University of NSFW'?

    --
    They're there in their room. You're on your own.