The coder is a champ
Rice grad student takes up computer challenge, walks away with cash

BY MIKE WILLIAMS
Rice News staff

For most people, doing something on a lark means buying a lottery ticket or going out for ice cream — something frivolous.

MICHAEL DIETZ

For Michael Dietz, it means untying the knots bogging down a computer system under attack — for fun, glory and even a little bit of money.

The Rice University graduate student in computer science went to last weekend’s 18th Usenix Security Symposium in Montreal intending to take in sessions and do a bit of networking, and he did all that. But in the evenings, he and two impromptu teammates coded their way to victory in the Security Grand Challenge and split a $5,000 prize.

Dietz arrived with no plan to compete, but was intrigued when Sunjeet Singh of the University of British Columbia in Vancouver, the grad student he was sharing a room with, suggested they check it out.

The after-hours event gave five teams responsibility for virtual servers, the hubs of “critical” systems, into which organizers had programmed all kinds of bugs. Competitors had to find the little nasties, squash them and make the systems as unhackable as possible.

Dietz and Singh found a third willing conferee, grad student Justin Cummins of the University of California at Davis, and the team spent two days uncovering the diabolical traps that contest organizers had set for them.

Rice graduate student Michael Dietz went to the 18th Usenix Security Symposium intending to take in sessions and do a bit of networking, and he did all that. But in the evenings, he and two impromptu teammates coded their way to victory in the Security Grand Challenge and split a $5,000 prize.

Dietz, a native of Kingwood, Texas, who earned his undergraduate degree at the University of Virginia, is about to start his second year in the computer security lab of Rice’s Dan Wallach, an associate professor of computer science and in electrical and computer engineering. It appears Wallach has taught him well.

“We had about three hours on the first day to try, very quickly, to harden the servers,” said Dietz, who is working at Intel in Berkeley, Calif., for the summer. “Our virtual machine had five computer programs critical for a medical application — a Web server, a diagnostic system and so on. They were written in PHP, Javascript, Python and two C programs.”

Dietz said he and his teammates were surprised to find themselves in first place at the end of the first day. “Suddenly, there was incentive,” he said. “We could win this.”

On the second day, Dietz and friends sat down at 6 p.m. and worked into the wee hours, finding programs coded in one language embedded within programs in another language that would trigger attacks by even more programs. “They were trying to be very tricky, and at some points they were doing things I hadn’t seen before, just to try to mess us up,” he said.

Between sessions, he said organizers would run specially designed bots to try to find holes in their work.

Early on the second day of the conference, Singh went back to work and found one more bug to squash, Dietz said, assuring the team a narrow victory over runners-up from University of Washington.

“It was an interesting diversion,” Dietz said.