Tuesday, July 14, 2015

My experience with #Security and the College Education System

I recently decided to go back to school for an advanced C++ certificate at the college level. I’ve been programming for a very long time and have taught technical hands-on college classes on computers to students with no prior computing experience. My approach was with online classes. In regard to technology studies, if you’re a technologically savvy person, online courses can be a really very easy route. That being said, if someone does not have the discipline to learn on their own, this will ultimately lead to failure and feelings of inadequacy. This however, was not my experience, and here is why: I’ve been a programmer for a very long time, and have taught and taken college courses. The college system is flawed, over-structured in many ways, and limited in all of the wrong places. Also the funding in regard to what a college deems important is spread to the wrong places as well, so education takes a back seat to things like sports, or getting more students. If an instructor has a high retention rate they're rewarded whether they are a good instructor or not. From the perspective of a faculty member, I can say it's all about the money and once students make it past the add-drop date for refunds, it really doesn't matter what happens if the schools do not have a reputation to uphold. Therefore it is up to the individual instructors to uphold the image and actually teach their students something meaningful. In online classes this rarely happens.

When you teach classes, online or not, the best students are typically always going to be the ones asking questions. This is not my habit, because the instructors are likely very busy, like everyone else, so as a professional researcher I turn to whatever means I have available to supplement my learning. The instructors assume students have all of the time in the world. If there is a discussion board, I will typically answer questions from students openly and honestly (where appropriate), when I am a student. Having grown accustomed to the stack exchange network online, it has made technical interaction painless and helped with delivery, especially in terms of citing my references. I don’t normally tell my instructors that I have taught courses unless it comes up, because it tends to make them nervous and this way, I get to really know their teaching style. Also it removes any liability on their part if they decide to cut me slack for some strange reason. At the end of the courses when they have the surveys, I will leave a few pages of tips rather than dropping a zero day in class. I also tactfully attempt to bring up any issues I find in the courses. "The ideal student," really it's more formulaic than that.

Security

While some courses briefly touch on security, unless someone specifically takes a security course for a specific field, like computer forensics, chances are they will have no idea about the necessary security required to make any applications “safer,” much less phishing, social engineering, or things like physical security. Colleges and accredited universities will likely not teach “hacking” as a course, because of the ethical liability of teaching people the skills of breaking systems and applications. Developing applications specifically for things like penetration testing are usually outside of the scope of a college class. Additionally this would be an added risk for the teaching environment, as the students would likely test their prowess on the institution’s network, servers, and devices. This can have severe legal ramifications at state schools, as it may become a federal offense if they can't control their programs. These excuses are essentially incorrect though, because if we teach security, then we can have more secure environments and while most of the degree programs for Digital Forensics require some sort of Ethics of Information Security training, these programs which should be foundational in all tech sectors would also allow people to identify non-ethical practices more clearly. Without the knowledge of the potential failures, we are creating a system of ignorant bliss and horror.

The textbooks

Textbooks take time to write and are typically only written from the vantage point of one or two writers. Then the texts are heavily edited for content. Often the writers might be part time developers, tech professionals, or in the case of several of the books from big-named textbooks publishers, college professors with 20+ years teaching experience. New textbooks are often created out of a teacher’s own need for an updated text, which can be a lot of extra work for a full-time instructor. After courses are over, the instructor then needs to review their notes, study the industry for changes, and adjust accordingly. Often this may only provide an instructor a couple of weeks of preparation time if they teach back-to-back courses, teach at multiple schools, or if they teach courses over the summer holiday. Typically I would look at my notes from the previous semester as to what I got wrong, yes educators make mistakes too, or what I could have made better, then adjusted my curriculum for the upcoming semester, while trying to incorporate the new changes from the industry, and the new changes from the software vendors; I was not writing a text in addition though.

When educators who aren’t staying current also write books, then we get into the issue of the books being several generations behind, so potentially an author,  writing a book in 2015 using their 2012 experiences based on 2005-ish real-world experience, creates a text that will not be published until 2016, after edits, liability review, and peer review. So students are in some cases roughly 10 years behind. Follow Twitter for an afternoon and you can quickly realize that this is a seemingly impossible task in regard to bleeding edge security. Security changes daily, and by the time a student has entered a class, unless the professor is savvy enough to stay up with the current affairs, the textbook becomes an incomplete crutch.

Terminology used in a course is dependent on the text being referenced, and that text was likely written by a tightly knit group of individuals who all used a singular localized lexical reference or spoke roughly in the same terms (e.g. coworkers); they all think the same way and use a word specifically to mean one thing, without seeing the other possible definitions for the same word, or outside approaches. There are of course other words that mean the very same thing outside of those groups. Like for instance phishing (the act) vs. social engineering (the concept). If a textbook writer was familiar with C first, then they might write about programming using more rigid constructs, and might not be familiar with advanced ideas or concepts in an extended language like C++, whereas if they started with C++11 there may be more focus on that end, and anything prior would be something they had not learned. If the authors feel the more rigid languages are important, they may not encourage the use of built-in constructs and require students to learn to develop the functions on their own. While this is helpful for learning, since most students go straight into the workforce, not knowing efficient ways to program can be an issue. Often in a management role I would find myself questioning a developer's use of multiple constructs when a built-in function existed already in the system; it's like recreating the wheel over and over.

Using non-textbooks

Although there are quite a few great books that aren’t textbooks that have been written on different aspects of security, most first-time students likely will have a hard time learning from, for instance, a memory forensics book right off of the shelf. You can see this in the reviews of books where people assumed it was something they could do immediately, and unlike college, there are very few prerequisites that are completely spelled out. A non-textbook may be written by an outlier with a singular specialized view of a particular methodology, so without a system of collegiate review, a book may not site references as well. This is not the case with about 80% of the tech references on the market. Every once in a while someone writes a book that is completely bad, wrong, or outdated. When a professor uses a non-textbook, and I’ve done this myself, it’s up to them to develop all of the added content and course material that goes along with the text, and to fully understand the topic, and the verify that the book is accurate. That's provided the text doesn't have links and external resources; many do, but it largely depends on the course. I stopped using non-textbooks in my classes because more often than not I would tell my students to rip out pages of the text that were in accurate or to cross them out. It became more of a book editing class and it was much easier to simply use my own notes and presentations.

Write a non-textbook, and while the course materials aren't there, there is less overhead in terms of overhaul, so if students are already required to learn on their own to an extent, this may be easier, field-dependent of course. The teachers must understand the text though, in order to gauge whether a student grasps the concepts being taught. If the teacher does not understand the text, then a non-textbook leaves the student with questions which can only be answered by professionals who have read the text or the original author.

Methodology

In many of my classes for programming there was the heavy need to document, from beginning to end. The instructors did not expect usefulness from an end-user experience standpoint, but there was much emphasis on things that made it easier for them to grade. When you have twenty students in an accelerated class, cutting corners tends to be the norm for instructors who are overloaded. Knowing this made receiving my A's easy, but however, I felt I didn't get everything from the courses that I could have. We did not cover the last three chapters in the C++ for instance because, due to pseudocode and flowcharting requirements we ran out of time. While I knew the content, having a professor give me pointers or validation was something that I felt made the experience rewarding. Also there were no specified expectations for the flowcharts, so in some instances I simply wrote a short chart that showed a process that loosely defined the context of the application. In others I was very specific showing the entire process or redundancy in a loop for instance. The teachers were so busy they simply provided no feedback whatsoever if the students appeared to go through the motions. As an engineer and development team manager this is a scary thing in terms of a lack of consistency. In the real world there should be expectations for performance in terms of documentation, and while the texts briefly mentioned this, the level of documentation in some of the examples was largely inconsistent. In the deeper applications, often the author would jump across twenty pages for a reference to an existing function, so the textbook has its limitations.

Determination

Educators typically do not have time to stay up on their field if they’re full-time or tenured instructors. Make them part-time and the drive may dwindle, since likely the bar is only set at becoming full-time, or something outside of their teaching career altogether. In my experience 3 out of 10 instructors tend to embrace education, everyone else is doing it for the money. Either it’s a personal decision to have a life, a lazy effort, or it’s a lack of time depending on the field, but all people go off on their own individual ways away from the rest of the world and rarely step back from a granular view. Often two different course sections taught by different instructors can have very different core competencies and outcomes in terms of quality, knowledge gained, and hands-on experience. My C++ class was all about flowcharts, which is great, if you're the manager or lead developer. In terms of coding it was horrible.


Here are my experiences as a student developer taking online classes with over 30 years of programming experience.


Introduction to Computers

I did not like this class at all and found several mistakes (16 disputes) in the online interactive text, the printed text, and the online interactive tests. My teacher was great and very understanding. The test site would respond with phrases like “165 other people have answered this problem without issue,” [what’s your problem?] Obviously, if they blindly obeyed their text, then of course they did. We were required to exhibit proficiency in Microsoft Office applications for assignments in a poorly-written, unforgiving, web-based Office emulator that on worked on a Windows system. It also used Flash and JavaScript-ish type code heavily, and while there are 50 ways to do just about everything in most applications, the web application for the testing platform was only programmed to accept a single method, despite my experience with Word since 1983.

The text we used, Computing Essentials 2014, was written focusing on 2009 “standards” and apparently the writers only used Microsoft systems since words like “ribbon” and “Hyper-V” were vocabulary words and there was one paragraph each for Unix & Linux, and mentions of two different versions of OSX each in their own respective paragraph; everything else was all about Windows.

Some of the text that referenced older technologies was very spot-on (e.g. compact discs), while newer technologies (the Internet) seemed to elude the writers. This can happen when someone writes a book in 2009 (or earlier) and the publisher asks for an updated version, and the writer can’t keep up with the technology. The book did mention that not all hackers are bad though, so there is at least that. Despite all of the hurdles in this class I managed to only miss a couple of questions during the whole course.

Programming Logic & Design (A.k.a. Intro to Python & Flowcharts)

Students who don’t interact, yet receive exemplary scores on tests aren’t that unheard of, but students in introductory Python courses who do type checking and error handling in their coding can set off a few red flags for a professor who is not accustomed to seeing this sort of code at the college level. Error checking was briefly mentioned in the text around Chapter 7 in the form of loops, while Try/Catch statements were not discussed in the entirety of the course. I will typically read a text cover-to-cover prior to starting a course, so by the time I need to really study the text it’s a refresher.

My instructor and I came to an understanding about my work in research and security and development projects. I write custom content management systems among other things, and understand how error handling in Python works because I have used the language for some time. Also I mentioned that I was simply trying to get my advanced C++ certification and this particular program was a required course that I could not CLEP. Python being used in the course was a unexpected bonus. My instructor, a developer herself, understood my position, and after seeing some of my other interactions with students realized that I was actually telling the truth and not like every other wannabe script kiddie she had in her classes prior. She was amazed at the plethora of Python apps written for the security industry. Python is not just for games, well, that depends on your definition of games I suppose. "Would, you, like, to, play, A, game?"

I thoroughly explained error handling in the class discussion boards with heavy references. Though I did really have to comment my code extremely well for my teacher, since a lot of the code I was using exceeded what we would ever learn in the intro to Python class. I had earned an A+ and felt I helped the students have a little better understanding of application and information security. If anything at least the slackers have better permissions on their social media accounts.

Professor Ratings are a thing

On a side note, when I taught many years ago, one of my students added me to the website ratemyprofessor.com. I had not heard of the site, and was told many of my students were apprehensive about taking my classes because they had heard that I was extremely hard. I had apparently received a 5 for helpfulness, a 5 for clarity, and a 2 for easiness. I understand how disgruntled students can really destroy a teacher’s reputation with a ratings site such as one of these, so I typically don’t look up a teacher out of professional courtesy. After my Intro to C++ class I definitely will.

Intro to C++

A developer who had apparently worked in large teams or managed large teams of other developers taught this course. There was a language barrier as the assignments were incoherent at times, often missing key instructions and necessary components. There was a PowerPoint presentation supplied that mirrored much of the text, and the course was accelerated, so at times students had to read 200+ pages, and perform their programming, while glancing through the PowerPoint for random things not covered in the text in order to pass their 100 question tests; not important things, just random tidbits that might be tested on. The hardest questions on the test were spot debugging. An online class, the course provided four dates where various programs were due in groups of up to six assignments. Each consecutive group built on the previous section, so if code was not correct in a previous assignment, it wasn’t going to be correct in a future assignment. Feedback on the code was very limited and sparse.

My professor, who had a 1.5 on ratemyprofessors.com after several years of teaching, decided that my code must have been plagiarized since this was an introductory class. In the instructions, the word “solution” was provided, but it wasn’t clear that this was something specific to the IDE the class recommended, Visual Studio 2013, so upon submission of my first block of five assignments I received a score of zero. Later I was told that it was required, and the syllabus was changed accordingly.

After asking the professor why I did not receive a grade, he explained that he felt I had plagiarized my code because it looked “familiar” and stated that we were only to use elements covered in the chapters of the book prior to the assignments. As a challenge, I had written my own custom conversion functions for converting between binary, hex, and octal numbers using only math for some of the looping assignments; very Rube Goldberg. My professor said I could “either be a coder or a designer,” but not both when he looked at the custom functions. When I explained that I had several years of programming experience I was told that this did not matter, that the programs needed to be done in the style of the book, only using knowledge from the book. Any outside knowledge (from anything) would be marked off and he didn’t care if there were easier ways to write the functions. I later pointed out to him that he was referencing an older copy of the book and the order of the text had changed from what he had taught prior.

I later realized that the reason for the zero was because he was using the project logs in Visual Studio solutions to glance at the output to do a quick spot check for errors and to see the output results of the applications we had provided. Also, in his instructions it wasn’t clear that flowcharts for every function needed to be provided for the entirety of the course, which in hindsight was a really useful, albeit extra, process that I had not employed myself, working on servers that were being actively hacked in a production environment. Over time I came to respect this professor’s methods, but I can definitely see why the class attendance dropped exponentially as the course progressed. Also the discussion boards in this course were not provided, so every student was on their own. I still made an A, but it was one of the hardest A’s I’ve ever had to work for.

The advanced C++ class at this particular school has not been offered online again since most of the online class takers dropped the only online Intro to C++ course, so it’s on to something else in the interim.

How do we fix it?


  1. Provide instructors with the resources necessary to advance their fields. If a college wants to remain competitive, then they need to have on-staff researchers that help with the planning of a course and make sure that the bar is being set close to industry standards. Nobody likes getting a degree that was outdated before they graduated.
  2. Require teachers to stay up on their industries. It doesn’t take much for a teacher to read a little in their spare time. Even if the text is unsupportive, if a good teacher knows the text is flawed they can adjust accordingly. If a teacher doesn't know, they might blindly hammer in out of date content, or in the case of programming, bad practices.
  3. Educate the teachers about the importance of security. If the teachers aren’t teaching from that standpoint, then it will be up to the students to learn, and as someone who is constantly bridging that gap I can safely say, there is very little in-between.
  4. Once the teachers learn about security, then, we rewrite the textbooks to be taught with more of a security-minded approach. Ask teachers and industry professionals for input prior to a release. Peer review is a good thing in the sciences, it should be taught to developers. 
  5. Teach students ethics and ethical hacking techniques if they are going to be developers. If a developer can pen-test their own code and that of their coworkers, they are a much more valuable asset to a team than the developer that shrugs their shoulders and says, “I don’t know.” We need our developers to say, “I have an idea” or “I know what I did wrong.” When a developer can understand an issue they can write better code. Don't worry about the script kiddies. They're going to download the industry standard applications and muddle their way through them, albeit poorly. Even corporations who are supposed to be ethical can often cross that line from white to black.

What will then happen to the security industry?

I've seen this in other industries, "if we share knowledge, then we're doomed," or "they want to fire me and hire somebody cheaper." The security industry is the bleeding edge of everything we know about security and more often all of the gaps in our knowledge. It’s not going anywhere anytime soon, and it might actually be staffed appropriately at the point more people understand about the need for security in information systems. Without changing these practices we’re setting ourselves up for failure.

No comments:

Post a Comment

I'm going to read this before it goes live if you don't mind.