'Hacker' with a Cause: NYU-Poly freshman makes top 10 in first CSAW challenge

Julian Cohen’s one-person HockeyInJune team placed 7th in last weekend’s CTF: Application Security CSAW challenge, a marathon cyber battle.

After a sleepless 24 hours rooting out security vulnerabilities last weekend, Julian Cohen did what only a handful of participants have done over CSAW’s six-year history: make the top 10 in the Capture the Flag Application (CTF) Security challenge as a freshman, and as a one-person team.

CSAW, or “Cyber Security Awareness Week,” is Polytechnic Institute of NYU’s annual competition designed to test computer science students’ security chops. Its title is a bit of a misnomer as the competition’s six challenges vary in length. Students have several weeks to complete their submission for the Security Awareness Poster challenge, for example, and only hours to make it to the final round of the Quiz Tournament on November 13’s Awards Day, the culminating event for CSAW 2009.

Along with his fellow participants, Julian solved as many security “puzzles” as his wits and stamina – his fuels of choice are Skittles, Mike and Ikes, and Sprite – would allow during the midnight-to-midnight CTF challenge. Players talked to each other in a chat room as they racked up points in dorm rooms and apartments across the globe. They occasionally shared hints, but more often, they commiserated about overlooking obvious solutions.

“I wanted to show the ISIS lab I mean business,” said Julian of why he decided to compete on his own rather than on a team like other participants.

ISIS, which stands for “Information Systems and Internet Security,” is Polytechnic Institute of NYU’s National Science Foundation-funded laboratory devoted to all things cyber security – from research projects to instruction to the sometimes-heated criticism of poor security practices found in software and web applications.

ISIS’s graduate students collaborate with industry judges to create the challenges and run CSAW and, like Julian, are entrenched in the world of cyber security where in order to understand how to build good applications, you have to learn how to break bad ones. “That’s one of the problems with how a lot of computer science is taught,” says Julian, “they don’t teach you how to break things.”

Julian concentrated in computer science at Brooklyn Technical High School but learned most of what he knows about web security the way others like him do: by following the methods of “white hat hackers,” foot-soldiers in the fight against shoddy, insecure code. The academic term for this is “penetration testing” and according to Julian, there’s nothing offered at other colleges like “Penetration Testing and Vulnerability Analysis,” an NYU-Poly course he’s sitting in on. (He placed out of a required computer science course, but as a freshman can’t take Penetration Testing for credit.)

So has the ISIS lab taken note of Julian? At least one influential member has. When Professor Nasir Memon, the mastermind behind CSAW, director of the lab, and prominent security expert, saw the results from this weekend’s CTF challenge, he said, “let’s get him into ISIS.”

Registration is still open for some CSAW challenges. Visit the CSAW page for details. And if you’re in the area, come to Awards Day on November 13 where Julian will compete in the final leg of the CTF challenge.

NYU-Poly undergraduate Stanislav Palatnik also placed in CTF’s top 10 finalists as a member of the !first team. His teammates were from California Polytechnic State University. Teams from Carnegie Mellon University took the top two spots and a Rensselaer Polytechnic Institute team took third. See a complete list of finalists.