Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How an Aussie University Creates the World's Best Hackers

samzenpus posted about a year ago | from the advanced-hacking-101 dept.

Security 76

bennyboy64 writes "An Australian university appears to be excelling at cultivating some of Australia's best computer hackers. Following the University of NSW's students recently placing first, second and third in a hacking war game (the first place winners also won first place last year), The Sydney Morning Herald reports on what exactly about the NSW institution is breeding some of Australia's best hackers. It finds that a lecturer and mentor to the students with controversial views on responsible disclosure appears to the be the reason for their success."

cancel ×

76 comments

Sorry! There are no comments related to the filter you selected.

Creates or attracts? (1)

Anonymous Coward | about a year ago | (#43702711)

Creates or attracts?

Re:Creates or attracts? (1)

Runaway1956 (1322357) | about a year ago | (#43703265)

University of Not Safe for Work? I'd say it attracts . . .

Re:Creates or attracts? (0)

davester666 (731373) | about a year ago | (#43707813)

Aussie == criminal

News at 11.

Re:Creates or attracts? (0)

Anonymous Coward | about a year ago | (#43705019)

How about a B.Sc., M.Sc. and PhD in stealing and theft. University of NSW should consider it since these are not that different with their current course. One could even justify that these degrees may help property owners to secure their properties!

Makes Sense (5, Insightful)

phantomfive (622387) | about a year ago | (#43702713)

In Universities, it turns out that the individual professors are the most important part of a quality institution. At a small university, a single quality professor can make a huge difference.

Re:Makes Sense (4, Insightful)

Noishe (829350) | about a year ago | (#43702899)

Just as my mod points expire...

You're absolutely correct that it's the teachers that matter and not the institution.

Mind you, the institution also has to have the right culture in place to first attract and then tolerate the actions of teachers like this. I would also extend your point, and say that the professors matter just as much at a large university as they do at a small one.

Makes Sense: Robin Williams. (0)

Anonymous Coward | about a year ago | (#43703271)

So this guy is a modern day Dead Poets Society?

Re:Makes Sense (2)

wisnoskij (1206448) | about a year ago | (#43703289)

Well in a large one where you are in classes of 400 plus students, I would say that individual professors matter less that one where you are in classes of 20.

In the first one you will not get to see him in-between classes for help (that will be left up to his army of TAs), and you will be sitting so far away your only interaction is likely to be watching the slides that his TAs prepared and listening to a speaker as he reads them.

Re:Makes Sense (1)

dkf (304284) | about a year ago | (#43703825)

Well in a large one where you are in classes of 400 plus students, I would say that individual professors matter less that one where you are in classes of 20.

But there's no reason in principle why a single professor should give tutorials to the entire year, especially at undergraduate level where there are often multiple people in a large department who can teach the same course module. (Lectures can scale up much larger than tutorials do, but the skills for giving a lecture aren't the same as those for running a laboratory session or giving a tutorial.)

Re:Makes Sense (0)

Anonymous Coward | about a year ago | (#43704033)

Not sure what university you went to but my 200+ class professors begged students to come to their office hours. The office hours probably were so boring because nobody went.

Re: Makes Sense (0)

Anonymous Coward | about a year ago | (#43715735)

I worked as a guest professor for a 4 week section of a course plus an exam component following it last year. I also made myself available by Skype, and made sure to offer my availability for help with any issues. Wasn't contacted one time. It's kinda frustrating when you do all you can in lectures, labs and tutorials, and offer to do more (unpaid extra, mind you), and you still have students failing over relatively simple stuff just because they won't approach you.

Re:Makes Sense (1)

SessionExpired (642030) | about a year ago | (#43703267)

the individual professors are the most important part of a quality institution

I wonder if this guy [eevblog.com] teaches there. He is local, and he would have made me study EE instead of chemistry.

Re:Makes Sense (0)

Anonymous Coward | about a year ago | (#43705339)

LOL, beware what you believe. Don't give your money to loud big mouth youtube preachers.

Re:Makes Sense (1)

ceoyoyo (59147) | about a year ago | (#43703569)

That's because the universities, as far as undergraduate programs go, are essentially all the same.

Re:Makes Sense (1)

jfz (917930) | about a year ago | (#43704103)

And here I was thinking that it was the number of new buildings, department sizes, tennis courts, landscaping, and quantity of state certified content-crammed courses. What a shocker!

Re:Makes Sense (2)

manu0601 (2221348) | about a year ago | (#43706165)

It is true for any enterprise, whether being an university or a corporation. Things are done well or badly by humans, not by the walls that surround them, or the uniforms they wear. Policy that try to turn individuals into disposable resource might succeed at industrialize something well known, but it will starve at being remarkable.

Re:Makes Sense (1)

phantomfive (622387) | about a year ago | (#43706741)

It is true for any enterprise, whether being an university or a corporation.

Good point.

If they're so great (0, Troll)

Anonymous Coward | about a year ago | (#43702759)

How come they didn't get FIRST POST!

Re: If they're so great (0)

Anonymous Coward | about a year ago | (#43702807)

The first comment on Slashdot. Ever.

An eminently sensible policy (2, Insightful)

Anonymous Coward | about a year ago | (#43702787)

"We say that you should do whatever you want with the exploit. It's your vulnerability, you found it, it's your thing. You have no obligation to report it at all. In fact, reporting it can get you into a lot of trouble."

Re:An eminently sensible policy (4, Insightful)

westlake (615356) | about a year ago | (#43702889)

"We say that you should do whatever you want with the exploit. It's your vulnerability, you found it, it's your thing. You have no obligation to report it at all. In fact, reporting it can get you into a lot of trouble."

It is not your thing ---

and it is precisely this kind of thinking that brings the hacker increasingly into conflict with society and the law.

Re:An eminently sensible policy (5, Insightful)

gagol (583737) | about a year ago | (#43702921)

Going legal after people disclosing vulnerabilities got us where we are. If you are not opened to receive security status about your [system/software/network] get prepared to be hacked because you backed the very people willing to help you in a corner.

Re:An eminently sensible policy (1)

countach (534280) | about a year ago | (#43703909)

Yeah, but nobody knows until its too late if a particular organisation is enlightened or not. Now that I think about it, responsible organisations should have a disclosure policy on their web sites. Something like "if you find a vulnerability in our systems, please report it, and there is a small reward" or something, so that people feel safe to report this stuff.

Re:An eminently sensible policy (3, Insightful)

gagol (583737) | about a year ago | (#43704141)

In the beginning, people were reporting that shit. Then lawyers got involved. This is when the SHTF. Because we don't know if we are going to end in court or not, we prefer to shut up and let them bath in filth.

Re:An eminently sensible policy (0)

Anonymous Coward | about a year ago | (#43704531)

Westlake is a Microsoft sockpuppet. They have an axe to grind with people who expose their bugs.

Re:An eminently sensible policy (1)

Anonymous Coward | about a year ago | (#43703087)

It is not your thing ---

and it is precisely this kind of thinking that brings the hacker increasingly into conflict with society and the law.

What they are doing is creating pure intellectual property, no different from a company patenting a gene sequence that they discovered. It is, according to direction that IP law is taking, absolutely theirs.

Whether you believe it should be this way or not is an entirely different kettle of fish.

Re:An eminently sensible policy (0)

Anonymous Coward | about a year ago | (#43704503)

"pure intellectual property"?

Using the term intellectual property reveals you know nothing about which you speak. There is no such thing on earth.

Re:An eminently sensible policy (0)

Anonymous Coward | about a year ago | (#43707123)

However, there is such a thing in civilized society.

Feel free to go back to your cave and try to get your fire started rubbing two sticks together....

Re:An eminently sensible policy (0)

Anonymous Coward | about a year ago | (#43707999)

However, there is such a thing in civilized society.

Feel free to go back to your cave and try to get your fire started rubbing two sticks together....

Rubbing two stick together might actually work. In this "civilized" society you'd be sued because "rubbing sticks together" is patented, and you just broke the law, and stole IP, and most likely tried to burn something down in a terrorist action. Less lawyers means better society.

Re:An eminently sensible policy (0)

Anonymous Coward | about a year ago | (#43711931)

Using the term intellectual property reveals you know nothing about which you speak. There is no such thing on earth.

If a piece of software has a bug, it is a tangible thing. If I write an exploit for said bug, it is a tangible thing. Between those steps is the knowledge of the bug which is used to create the exploit. It has value, and it has no physical representation intrinsically.

This is no different from a map to a diamond mine, or a map of a genome that tells you where your CD4 receptor is coded so you can knock the sequence out of your lab mouse and test HIV therapies. The map is a transformation of the information upon which it is based. It does not have an independent existence.

If you have a better descriptor for this concept than 'intellectual property', I am all ears.

Re:An eminently sensible policy (2)

plover (150551) | about a year ago | (#43704151)

The article quotes the professor's example of a guy who revealed a flaw to a company that they were exposing hundreds of thousands of people's financial accounts. All he did was to change the user ID in his URL to some other number, which was a different person's account. He knew that his own information was at risk, and wanted the company to fix their badly written web site.

The reward for his reporting effort was a police investigation, and the company threatened him with the liability of the costs of fixing the flaw.

Sure, many companies will take a security report and say "oh, crap!" They'll then scurry about and fix the problem. They might say thank you, they might not. But the truth is some companies are run by total douche-nozzles who respond with threats.

When it's a possibility that companies will respond by acting as completely irrational and irresponsible as this, the professor is doing the right thing by teaching the students "don't assume any good will necessarily come from what you've done." If you monetize the flaw by selling it, someone else assumes the risk. They might buy it to exploit it, or they might hope to turn it into a reward.

His advice is to avoid the conflict entirely. It's amoral, but it's very practical advice that will keep you personally out of jail.

Re:An eminently sensible policy (0)

Anonymous Coward | about a year ago | (#43704541)

It's not amoral, and in fact, throughout history morals are just abuse of authority to control people's behaviours and actions.
You could say ethics, but nobody can define what is ethical and not. With ethics, it's your own personal opinion and degree of self-reflection that matters.

This is simply a perfectly valid response to threats and ignorant, if not criminal, abuse of the legal system.
When holes in the dike is illegal to report on, or you're just too ignorant, fearful and abusive to understand when someone's trying to help you, you just ensured the next black swan event on yourselves.

Re:An eminently sensible policy (1)

EnempE (709151) | about a year ago | (#43705261)

Unfortunately that practical advice goes beyond immoral. In many states it is illegal to produce a device or code that allows unauthorized access, in the others, facilitating a crime is bad juju. Selling that code will not be viewed in the best light and will destroy any chance of a defense based on lack of intent. Lord only knows what will happen if you sell your exploit to a guy, who sells it to a guy with terrorist ambitions. Talking to a CERT about it seemed like a good idea. Also it is high time universities stepped up and provided support to their students/researchers. Government talks a lot about public private partnerships in the war on cybercrime, this would be a good place to start.

Re:An eminently sensible policy (1)

able1234au (995975) | about a year ago | (#43705271)

If i remember that case i think the problem was that to prove it was a problem he dumped down a large number of account details. He was responding as would a technical person to a technical problem but forgetting that these were valuable account details. It is a little like working out how to open your safety deposit box without a key and then testing it by opening up every deposit box in the bank and wondering why they were upset since you were just proving to yourself that the technique worked.

So, agree that the company overreacted and were totally dumb in their response but i can understand their initial misguided kneejerk response.

Re:An eminently sensible policy (0)

Anonymous Coward | about a year ago | (#43705615)

You do realise that sometimes, good exploits take something like several months of work to write? How is that not "your thing", if you work at it for so long? If you worked on something for several months, non-stop, and then someone tried to take it away and say it wasn't yours in the first place, how would you feel?

Re:An eminently sensible policy (1)

Anonymous Coward | about a year ago | (#43707985)

Duh. You won't get into conflict if you don't get caught. Society doesn't want to know about the vulnerabilities. If they wanted to know they would pay the finders instead of prosecuting them. Too many stories where someone finds a hole, reports it, then gets to trouble instead of getting praise.

GCHQ (3, Interesting)

Anonymous Coward | about a year ago | (#43702795)

Or maybe it's because the curriculum is designed so that Defence Signals Directorate (the Aussie equivalent of GCHQ/NSA) can go there and have a one-stop shop for their new recruits...

Re:GCHQ (0)

Anonymous Coward | about a year ago | (#43705585)

The DSD don't pay enough, and don't have enough good people, to ever get the talented hacker kids in .au. DSD is a "oh shit, I didn't get a good job" kinda place.

Re:GCHQ (0)

Anonymous Coward | about a year ago | (#43705703)

This isn't true, DSD has great success in hiring talented hacker kids.
Retention is the main problem, government agencies are terrible at keeping technical staff longer than a couple of years. Once they've soaked up the great training available they head off to the private sector (often Google or Facebook).

Re:GCHQ (0)

Anonymous Coward | about a year ago | (#43708833)

BULLSHIT. As someone that regularly interacts with DSD the amount of quality technical individuals are extremely limited their, however the ones that think they are knowledgeable are abundant supple in that place. I have been truly stunned many times with some of the lack of understanding of even basics by their supposedly quality staff.

Good (0, Flamebait)

benjfowler (239527) | about a year ago | (#43702801)

Nice to see the good guys get ahead for once. A world run by the likes of Russia, China or the Muslims would be hell, and we need to be prepared.

Re:Good (2, Funny)

Anonymous Coward | about a year ago | (#43702845)

You sir get the off-topic redneck award of the day.

Re:Good (-1)

Anonymous Coward | about a year ago | (#43702949)

Hesbola guy, go home and make love to your 8yo wife!

Re:Good (0)

Anonymous Coward | about a year ago | (#43703309)

It isn't "love" when all he's doing is banging a piece of meat that he bought and paid for. Instead of "making love" he is "venting frustrations".

the University of NSFW? (1)

Anonymous Coward | about a year ago | (#43702835)

No wonder they have so many 24x7 hackers...

Part of it is that they've been at it for a long . (4, Interesting)

Coeurderoy (717228) | about a year ago | (#43702869)

Part of it is that they've been at it for a long time... http://en.wikipedia.org/wiki/Lions'_Commentary_on_UNIX_6th_Edition,_with_Source_Code [wikipedia.org] Lions was at the UNSW, getting student to have access to code seems to be a tradition there. I also met a couple of very talented people who got their degrees there in the late 70's early 80's and worked with some of them... It just shows that the right way to run an university is not to worry too much about the curriculum and do the unexpected, even the vaguely illegal. BTW it seems the equivalent document he wrote about the pdp11 unix C compiler is not avaiable, it's sad it was very interesting.

Australian schools have magic (2, Funny)

Anonymous Coward | about a year ago | (#43702939)

As I learned from this video [youtube.com] last year. It's a snap.

Five Deadly Venoms (0)

Anonymous Coward | about a year ago | (#43702975)

Did anyone reading TFA think of old martial arts films where star pupils turned to the dark side [imdb.com] ?

beware of grubb the scrub... (0)

Anonymous Coward | about a year ago | (#43702985)

Arguing that college level war games somehow measures who does and doesnt have the best hackers is mildly retarded, Then of course, it's probably noteworthy that the contest they're referring to, isnt a world competition, but rather an inter-aussie competition. Furthermore, it's a bunch of web apps.. so apparently the easiest way to defeat these super hackers is to ... turn off your webpage!

Finally, tying it into any stance on responsible disclosure is just overly retarded, the idea that any level of morality or lack thereof in a subject that is inherently highly technical just smacks of dumb.

Oz does have some of the worlds best, Dowd and Ceasare immediately come to mind. This is just fluff cruft from a journalist and a good exemplification of why you can safely ignore everything in the news relating to hacking generally.

Full rankings, inclusive of the ALL aussie contestants found here:
https://scoring.cyberchallenge.com.au/index/ranking

Re:beware of grubb the scrub... (0)

Anonymous Coward | about a year ago | (#43705921)

The Fionbhar guy in the article works at Dowd's company, as per the article, and http://www.azimuthsecurity.com/about.html

Cracker (1, Informative)

Anonymous Coward | about a year ago | (#43703045)

Cracker, not hacker. Goddammit, /. of all places should be able to get this right.

Re:Cracker (1)

Runaway1956 (1322357) | about a year ago | (#43703327)

I thought crackers cracked games and applications. Hackers do stuff more like the people in the article are doing - penetration testing. Most hackers can likely crack a DRM'd game too.

Re:Cracker (1)

CurunirAran (2811035) | about a year ago | (#43707111)

A 'Cracker' is somebody who finds exploits and security holes in applications and then uses them for illegal purposes. Cracking applications is just a small subset of that. Hackers are basically do what you said. The Grandparent is incorrect in its definition of crackers and hackers.

Re:Cracker (2)

phantomfive (622387) | about a year ago | (#43707107)

FYI that ship sailed decades ago.

Australia huh? (0)

interval1066 (668936) | about a year ago | (#43703055)

What do they all do, move to Croatia as soon as they graduate?

Re:Australia huh? (1)

nzac (1822298) | about a year ago | (#43703243)

Its the Sydney Morning Herald, they have a low journalistic standard.

Best of world? (1)

Njovich (553857) | about a year ago | (#43703449)

It's a national CTF for some australian schools. Wake me up when they win iCTF and Defcon in the same year.

What's next, call the junior ice skating winner in the Australian nationals the best ice-skaters in the world without further evidence?

Re:Best of world? (1)

joseph90 (193138) | about a year ago | (#43703483)

kinda like the world series baseball, eh? ;-)

Re:Best of world? (0)

Anonymous Coward | about a year ago | (#43704275)

1) It's a stupid name from 100 years ago

2) The best players in the world play in the MLB (*)

3) There is a team in Canada

*) Baseball is popular in North and South America, the Caribbean, and East Asia. Many of the best players are from places like the Dominican Republic, Venezuela, and Japan. Just because a sport isn't popular in Europe (home of "World War" I, if you recall) doesn't mean it isn't popular elsewhere.

Re:Best of world? (0)

Anonymous Coward | about a year ago | (#43704835)

Woah...relax. I think the point the parent was making about baseball is that nobody of significance (apart from USA) plays your boring game.

Re:Best of world? (0)

Anonymous Coward | about a year ago | (#43705811)

Actually the point was the Americans can their domestic baseball competition the "World" championship.

Kinda like how Miss Universe doesn't feature any one from outside of Earth...

Richard Buckland (1, Informative)

dingen (958134) | about a year ago | (#43703671)

I'm surprised Richard Buckland isn't mentioned anywhere. He's supposed to be *the* superstar comp sci lecturer at UNSW, right? And I do believe he has a keen interest in security too. Hmm... that gets me thinking, maybe "Fionnbharr Davies" is an alias. It sounds fake anyway.

Re:Richard Buckland (1)

DpEpsilon (2538466) | about a year ago | (#43704325)

Yeah, he's that one professor that probably makes UNSW a good security university.

Re:Richard Buckland (0)

Anonymous Coward | about a year ago | (#43704501)

This may be true for Security, but UNSW also has a fantastic Systems Group which is in large part due to the hard work of Kevin Elphinstone and Gernot Heiser. Who also practice very hands on learning. UNSW undergraduates write a fully working operating system, Cambridge undergraduates talk about it.

Re:Richard Buckland (2)

Vylen (800165) | about a year ago | (#43705365)

Richard Buckland is currently working on internet voting and the security involved around that.

Fionnbharr Davies is actually an ex-student of Richard.

I know this being a UNSW graduate and a student of Richard as well :)

Fionnbharr was quite the unusual character but quite devoted to his studies cause he just found it fun. No surprises here that he enjoys lecturing for the same reasons!

Re:Richard Buckland (2)

Anonymous Coward | about a year ago | (#43705559)

Richard Buckland is currently working on internet voting and the security involved around that.

Fionnbharr Davies is actually an ex-student of Richard.

I know this being a UNSW graduate and a student of Richard as well :)

Fionnbharr was quite the unusual character but quite devoted to his studies cause he just found it fun. No surprises here that he enjoys lecturing for the same reasons!

Richard Buckland is the one who organises these courses; He gets Fionnbharr and Brendan to run them.

Re:Richard Buckland (0)

Anonymous Coward | about a year ago | (#43706773)

UNSW alumnus here.

Fionnbharr isn't Buckland. Buckland's security course was pretty awesome too though, not sure if he's still teaching it..

Re:Richard Buckland (0)

Anonymous Coward | about a year ago | (#43708287)

Last I heard Richard was quite ill.

Re:Richard Buckland (1)

Xest (935314) | about a year ago | (#43708341)

"It sounds fake anyway."

No actually, it sounds celtic.

quantum computing (0)

Anonymous Coward | about a year ago | (#43704219)

University of New South Wales seems to be producing a lot of quantum computing breakthroughs too.

Good Students and Good Security Program (1)

DpEpsilon (2538466) | about a year ago | (#43704421)

So, in general, through all the high school programs [unsw.edu.au] that UNSW has available, I'd say it attracts the best students. It just so happens that I know a decent proportion of the students that participated in this competition and I know that they had a keen interest in computer science; so these are the better, more experienced, more enthusiastic students we're talking about here.

Also, UNSW's main security course, COMP9447, is cited as being a good course by people I know who've done it and is very popular amongst the students: They extended the enrollment in the course for this semester at least once (not sure by how much) and there are still many students who missed out.

Re:Good Students and Good Security Program (0)

Anonymous Coward | about a year ago | (#43705693)

CS9447 is the course that Fionnbharr and Brendan run, and the one which all these students came from.

Other Unis (0)

Anonymous Coward | about a year ago | (#43708067)

He said his courses are very different from the typical IT courses at other universities. ... "They're all taught by these academics who have never hacked a thing in their life," he said. "The students are good, it's just the teachers ...

Reminds me of my IT Security degree from Deakin University in Melbourne, Victoria. What a waste, I could have done a law degree. SIT at Deakin is a joke.

We need more hackers (1)

DMJC (682799) | about a year ago | (#43708343)

We need a LOT more hacking. As Shodan shows us with the amount of physical infrastructure being put online, we need to keep hacking the shit out of everything until these bad security practices are ended once and for all. Moronic companies and governments are putting everyone at risk of outside cyber warfare. Imagine if someone started attacking major power plants. Individual hackers need more freedom to break into systems IMHO, and government departments and companies need to start being fined for vulnerability breaches.

Am I the only one... (1)

rbprbp (2731083) | about a year ago | (#43708879)

... who parsed this as 'University of NSFW'?

Bah, University of NSW (0)

Anonymous Coward | about a year ago | (#43760207)

I learned my rad skills at the University of NSFW

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>