Growing reputation: UNSW students excelled in an anti-establishment hacking challenge. Credit:Erin Jonasson During the 24 hours they are required to conduct "penetration testing" on the company's web apps, network and product, as well as give advice in easy-to-understand "grandma" language. A penetration test is used to evaluate the security of a computer system or network by simulating a hacker attack. Forty-three groups, each made up of four students from 20 institutions, participated and it proved so popular that Telstra had to cap the number of teams per school to three. What may have attracted the budding young hackers was the first prize, a trip to the infamous Black Hat IT security conference in Las Vegas. UNSW entered three groups of four students in the challenge, placing first, second and third. The winning group also won last year.

Bunkered down: the UNSW team that won. Some members of the winning team have also come first in other Australian security challenges, such as the Ruxcon capture the flag contest held in Melbourne. So what is it about UNSW that is cultivating some of the nation's most promising young "white hat" hackers? All three teams from UNSW who won places. Fionnbharr Davies is the IT security lecturer and mentor to the UNSW students.

Unlike other, more serious academics who teach at the university, Davies lists as a joke on his staff profile that he is a "Professional Suit Wearer" who teaches "Haqr techniques", "HTML" and "Thwarting the lizard people threat". I have absolutely no fears I'm creating some black hat army. If anything, these students are going to go on to become really good [white hat] security researchers. UNSW IT security lecturer Fionnbharr Davies A 27-year-old who works full-time at Azimuth Security, Davies co-lectures part-time alongside Brendan Hopper, 28, who works at the Commonwealth Bank as a penetration tester. Many of their students have gone on to work at large security companies such as Stratsec (now BAE Systems) and Securus Global, while some pupils are doing internships at the likes of Google. Theo Julienne, one of Davies' students and a member of the Cyber Security Challenge winning team, said that what made him a good white hat hacker was Davies' unconventional teaching practices. Julienne's teammate Karla Burnett agreed. Both students said Davies' courses were practical and hands-on, rather than all about theory.

"If companies are doing stupid things that do not make sense he criticises them in lectures," Burnett said. "He won't try and be polite about stuff." Julienne added: "[Davies] doesn't screw around with theory stuff. He tells us this is how it works and this is what you do in a company to secure it." Although working in the security industry pays more than lecturing, Davies said he lectures because it is fun. "I've actually not been paid twice because I was too lazy to fill out the forms because I'm not motivated by money," he said. "It's incredibly rewarding to teach students and see them do really well... My students winning first, second and third place [last week] is great."

He said his courses are very different from the typical IT courses at other universities. "It's a really big difference from your [average computer] science degree courses, because generally when you are going to them you start doing artificial intelligence [AI]. "You get told here's a problem, here's the algorithm you should use to solve it, and go and solve it using that algorithm. "So essentially this [security] part of the course I teach is like a mini thesis. We drop the students in the deep end and go, 'All right, you have to come up with your own project. It's going to be difficult and we'll judge you half on it.' "A lot of people then immediately drop out of the course after the first or second week when they realise it's going to be a ton of work. A lot of university students don't want to do a ton of work."

Davies said he was shocked when he saw the way students at other universities were taught IT security. "They're all taught by these academics who have never hacked a thing in their life," he said. "The students are good, it's just the teachers ... "Talking to some of the other students at other universities I was actually quite appalled at the sort of things they were taught. Like, it's not even real computer science." Davies said about 60 per cent of his course focused on projects, while the other 40 per cent was based on a "war game" challenge like the one held by Telstra and government agencies. "So students write rootkits," he said. "At the courses running at the moment ... students are designing rootkits for Mac OS X, Android and Linux."

A "rootkit" is a stealthy type of software designed to hide the existence of certain processes or programs from normal methods of detection. It is often malicious and used by hackers. "People are writing exploits in the course and doing large security projects you might normally see proper security researchers doing [in the real world]," Davies said. "But students can do them because they're intelligent and motivated." To defend against hackers, Burnett said, one needed to think like one, and that was what Davies taught students to do – by thinking "offensive" rather than "defensive". "You need to know how a hacker is thinking if you want to defend against them," Burnett said. Davies, when asked if he believed students should report vulnerabilities they find or stumble across on company's IT systems, said: "We say that you should do whatever you want with the exploit. It's your vulnerability, you found it, it's your thing. You have no obligation to report it at all. In fact, reporting it can get you into a lot of trouble."

Davies pointed to the case of Australian security expert Patrick Webster, who received a knock on the door from police and a legal letter after he told First State Super he had found a flaw exposing the personal details of its 770,000 members. First State Super disabled his superannuation account with them, asked to check his computers and said he may have been liable for any costs to fix the security breach he reported to them. "There is always the chance that a company will turn around and bite you," Davies said. "That kind of shit happens all the time and is why I actually recommend not doing responsible disclosure. I don't like the term and if anything you should sell the vulnerability. "Sell it to anyone [you can find] because they're the ones who will then deal with the company... Or, if you're not going to reveal it, go through a third party like CERT Australia."

Matt Barrie, who teaches cryptography and network security at the University of Sydney, said his course was also very hands-on, and to an extent unconventional, but not as much as Davies'. "We get people to analyse things like Wi-Fi, find out how it can be hacked and what the problems are," he said. Barrie also conducts war games and gives students cryptographic puzzles to crack. But unlike Davies, Barrie believes universities are "getting fairly practical" with their IT security courses. "Some of my graduates have joined the Defence Signals Directorate and have become key people at a firm called Stratsec, which recently got sold to [Defence contractor] BAE Systems," Barrie said.