How an Aussie University Creates the World's Best Hackers

bennyboy64 writes "An Australian university appears to be excelling at cultivating some of Australia's best computer hackers. Following the University of NSW's students recently placing first, second and third in a hacking war game (the first place winners also won first place last year), The Sydney Morning Herald reports on what exactly about the NSW institution is breeding some of Australia's best hackers. It finds that a lecturer and mentor to the students with controversial views on responsible disclosure appears to the be the reason for their success."

Creates or attracts?

[Anonymous Coward]

Creates or attracts?

Re:

[Runaway1956]

University of Not Safe for Work? I'd say it attracts . . .

Makes Sense

[phantomfive]

In Universities, it turns out that the individual professors are the most important part of a quality institution. At a small university, a single quality professor can make a huge difference.

Re:Makes Sense

[Noishe]

Just as my mod points expire...

You're absolutely correct that it's the teachers that matter and not the institution.

Mind you, the institution also has to have the right culture in place to first attract and then tolerate the actions of teachers like this. I would also extend your point, and say that the professors matter just as much at a large university as they do at a small one.

Re:

[wisnoskij]

Well in a large one where you are in classes of 400 plus students, I would say that individual professors matter less that one where you are in classes of 20.

In the first one you will not get to see him in-between classes for help (that will be left up to his army of TAs), and you will be sitting so far away your only interaction is likely to be watching the slides that his TAs prepared and listening to a speaker as he reads them.

Re:

[dkf]

Well in a large one where you are in classes of 400 plus students, I would say that individual professors matter less that one where you are in classes of 20.

But there's no reason in principle why a single professor should give tutorials to the entire year, especially at undergraduate level where there are often multiple people in a large department who can teach the same course module. (Lectures can scale up much larger than tutorials do, but the skills for giving a lecture aren't the same as those for running a laboratory session or giving a tutorial.)

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[ceoyoyo]

That's because the universities, as far as undergraduate programs go, are essentially all the same.

Re:

[manu0601]

It is true for any enterprise, whether being an university or a corporation. Things are done well or badly by humans, not by the walls that surround them, or the uniforms they wear. Policy that try to turn individuals into disposable resource might succeed at industrialize something well known, but it will starve at being remarkable.

Re:

[phantomfive]

It is true for any enterprise, whether being an university or a corporation.

Good point.

An eminently sensible policy

[Anonymous Coward]

"We say that you should do whatever you want with the exploit. It's your vulnerability, you found it, it's your thing. You have no obligation to report it at all. In fact, reporting it can get you into a lot of trouble."

Re:An eminently sensible policy

[westlake]

"We say that you should do whatever you want with the exploit. It's your vulnerability, you found it, it's your thing. You have no obligation to report it at all. In fact, reporting it can get you into a lot of trouble."

It is not your thing ---

and it is precisely this kind of thinking that brings the hacker increasingly into conflict with society and the law.

Re:An eminently sensible policy

[gagol]

Going legal after people disclosing vulnerabilities got us where we are. If you are not opened to receive security status about your [system/software/network] get prepared to be hacked because you backed the very people willing to help you in a corner.

Re:

[countach]

Yeah, but nobody knows until its too late if a particular organisation is enlightened or not. Now that I think about it, responsible organisations should have a disclosure policy on their web sites. Something like "if you find a vulnerability in our systems, please report it, and there is a small reward" or something, so that people feel safe to report this stuff.

Re:An eminently sensible policy

[gagol]

In the beginning, people were reporting that shit. Then lawyers got involved. This is when the SHTF. Because we don't know if we are going to end in court or not, we prefer to shut up and let them bath in filth.

Re:

[Anonymous Coward]

It is not your thing ---

and it is precisely this kind of thinking that brings the hacker increasingly into conflict with society and the law.

What they are doing is creating pure intellectual property, no different from a company patenting a gene sequence that they discovered. It is, according to direction that IP law is taking, absolutely theirs.

Whether you believe it should be this way or not is an entirely different kettle of fish.

Re:

[plover]

The article quotes the professor's example of a guy who revealed a flaw to a company that they were exposing hundreds of thousands of people's financial accounts. All he did was to change the user ID in his URL to some other number, which was a different person's account. He knew that his own information was at risk, and wanted the company to fix their badly written web site.

The reward for his reporting effort was a police investigation, and the company threatened him with the liability of the costs of fi

Re:

[EnempE]

Unfortunately that practical advice goes beyond immoral. In many states it is illegal to produce a device or code that allows unauthorized access, in the others, facilitating a crime is bad juju. Selling that code will not be viewed in the best light and will destroy any chance of a defense based on lack of intent. Lord only knows what will happen if you sell your exploit to a guy, who sells it to a guy with terrorist ambitions. Talking to a CERT about it seemed like a good idea. Also it is high time u

Re:

[able1234au]

If i remember that case i think the problem was that to prove it was a problem he dumped down a large number of account details. He was responding as would a technical person to a technical problem but forgetting that these were valuable account details. It is a little like working out how to open your safety deposit box without a key and then testing it by opening up every deposit box in the bank and wondering why they were upset since you were just proving to yourself that the technique worked.

So, agree

Re:

[Anonymous Coward]

Duh. You won't get into conflict if you don't get caught. Society doesn't want to know about the vulnerabilities. If they wanted to know they would pay the finders instead of prosecuting them. Too many stories where someone finds a hole, reports it, then gets to trouble instead of getting praise.

GCHQ

[Anonymous Coward]

Or maybe it's because the curriculum is designed so that Defence Signals Directorate (the Aussie equivalent of GCHQ/NSA) can go there and have a one-stop shop for their new recruits...

Re:

[Anonymous Coward]

You sir get the off-topic redneck award of the day.

the University of NSFW?

[Anonymous Coward]

No wonder they have so many 24x7 hackers...

Part of it is that they've been at it for a long .

[Coeurderoy]

Part of it is that they've been at it for a long time... http://en.wikipedia.org/wiki/Lions'_Commentary_on_UNIX_6th_Edition,_with_Source_Code [wikipedia.org] Lions was at the UNSW, getting student to have access to code seems to be a tradition there. I also met a couple of very talented people who got their degrees there in the late 70's early 80's and worked with some of them... It just shows that the right way to run an university is not to worry too much about the curriculum and do the unexpected, even the vaguely illegal. BTW it seems the equivalent document he wrote about the pdp11 unix C compiler is not avaiable, it's sad it was very interesting.

Australian schools have magic

[Anonymous Coward]

As I learned from this video [youtube.com] last year. It's a snap.

Cracker

[Anonymous Coward]

Cracker, not hacker. Goddammit, /. of all places should be able to get this right.

Re:

[Runaway1956]

I thought crackers cracked games and applications. Hackers do stuff more like the people in the article are doing - penetration testing. Most hackers can likely crack a DRM'd game too.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[phantomfive]

FYI that ship sailed decades ago.

Australia huh?

[interval1066]

What do they all do, move to Croatia as soon as they graduate?

Re:

[nzac]

Its the Sydney Morning Herald, they have a low journalistic standard.

Best of world?

[Njovich]

It's a national CTF for some australian schools. Wake me up when they win iCTF and Defcon in the same year.

What's next, call the junior ice skating winner in the Australian nationals the best ice-skaters in the world without further evidence?

Re:

[joseph90]

kinda like the world series baseball, eh? ;-)

Richard Buckland

[dingen]

I'm surprised Richard Buckland isn't mentioned anywhere. He's supposed to be *the* superstar comp sci lecturer at UNSW, right? And I do believe he has a keen interest in security too. Hmm... that gets me thinking, maybe "Fionnbharr Davies" is an alias. It sounds fake anyway.

Re:

[DpEpsilon]

Yeah, he's that one professor that probably makes UNSW a good security university.

Re:

[Vylen]

Richard Buckland is currently working on internet voting and the security involved around that.

Fionnbharr Davies is actually an ex-student of Richard.

I know this being a UNSW graduate and a student of Richard as well :)

Fionnbharr was quite the unusual character but quite devoted to his studies cause he just found it fun. No surprises here that he enjoys lecturing for the same reasons!

Re:

[Anonymous Coward]

Richard Buckland is currently working on internet voting and the security involved around that.

Fionnbharr Davies is actually an ex-student of Richard.

I know this being a UNSW graduate and a student of Richard as well :)

Fionnbharr was quite the unusual character but quite devoted to his studies cause he just found it fun. No surprises here that he enjoys lecturing for the same reasons!

Richard Buckland is the one who organises these courses; He gets Fionnbharr and Brendan to run them.

Re:

[Xest]

"It sounds fake anyway."

No actually, it sounds celtic.

Good Students and Good Security Program

[DpEpsilon]

So, in general, through all the high school programs [unsw.edu.au] that UNSW has available, I'd say it attracts the best students. It just so happens that I know a decent proportion of the students that participated in this competition and I know that they had a keen interest in computer science; so these are the better, more experienced, more enthusiastic students we're talking about here.

Also, UNSW's main security course, COMP9447, is cited as being a good course by people I know who've done it and is very popular amon

We need more hackers

[DMJC]

We need a LOT more hacking. As Shodan shows us with the amount of physical infrastructure being put online, we need to keep hacking the shit out of everything until these bad security practices are ended once and for all. Moronic companies and governments are putting everyone at risk of outside cyber warfare. Imagine if someone started attacking major power plants. Individual hackers need more freedom to break into systems IMHO, and government departments and companies need to start being fined for vulnerab

Am I the only one...

[rbprbp]

... who parsed this as 'University of NSFW'?