Top US Undergraduate Computer Science Programs Skip Cybersecurity Classes

Kelly Jackson Higgins, reporting for Dark Reading: A new study reveals that none of the top 10 U.S. university computer science and engineering program degrees requires students take a cybersecurity course. There's the cybersecurity skills gap, but a new study shows there's also a major cybersecurity education gap -- in the top U.S. undergraduate computer science and engineering programs. An analysis of the top 121 US university computer science and engineering programs by CloudPassage found that none of the top 10 requires students take a cybersecurity class for their degree in computer science, and three of the top 10 don't offer any cybersecurity courses at all. The alarming study also reveals that only one (University of Alabama) out of the 121 schools required three or more cybersecurity classes to graduate. "With more than 200,000 open cybersecurity jobs in 2015 in the U.S. alone and the number of threat surfaces exponentially increasing, there's a growing skills gap between the bad actors and the good guys," Robert Thomas, CEO of CloudPassage, told SCMagazine.com.

It's been a while since I was a CS student.

[aussersterne]

In fact, it's been decades.

But the academic in me wants to say that computer science is not the right place for courses about practical security. Those should be in IT departments, no?

Re:It's been a while since I was a CS student.

[Hunter-Killer]

Depends on the problem you intend to address.
Malware clean up, vuln scanning, thumb drive police--IT.
Sanitizing inputs, not storing sensitive data in plaintext--dev.

Re:It's been a while since I was a CS student.

[__aaclcg7560]

Those should be in IT departments, no?

The IT department can handle deployed applications. Programmers still need to write application code to prevent security issues in the first place.

Re:It's been a while since I was a CS student.

[rakslice]

Although there are a lot of CS-level concepts you can teach someone that relate to security, when it comes to "IT security jobs" and the practical security issues that you're going to deal with in them, there is very little connection.

The analogy that I often use is: Would you expect a physicist to be able to fix your car? I like to think not. Or would a news outlet fall into a similar trap of publishing claims from some company looking for free a marketing opportunity that universities have a responsibility to teach their graduates auto repair?

At the very least I would expect a news outlet to catch on that "cybersecurity" is not a term that is actually used by many people that deal with the security of software and computer networks.

Re:It's been a while since I was a CS student.

But the academic in me wants to say that computer science is not the right place for courses about practical security. Those should be in IT departments, no?

It's not like the IT departments are self educated. Knowing the kind of education some (most?) of the IT support people get, I would be worried if they should be the experts in the field. It would basically come down to "always run updated software, because that is what the teacher told us and apart from that, do as we like". Proper security requires people, who actually understands the problem, which points towards the universities.

I say in the modern world where everything is online 24/7, thinking security into every step would not be a bad idea because hackers will find the weak link. This mean it's not good enough to ignore security just because you are making something secondary like a game as anything can be attacked. A good example of this is a game where the server code for multiplayer had a bug where it could overflow when reading a specific package from a client. This overflow could then be exploited to make the server execute the binary, which was included in the overflow. I will not be specific about the game or specific command, but it has been patched. The issue is that it was just an insignificant part of a GPL licensed game, yet it ended up with a serious issue because one person didn't think security into every single level and the people reviewing the code missed it too (it might have missed reviewing entirely due to being coded by the founder).

I seriously can't see any valid argument for anybody with a degree in computer science, software engineering or similar could have any valid reason for not know about security. Considering I had to take a chemistry class and engineering history for my engineering degree, I say network/internet security is far more relevant.

Re:It's been a while since I was a CS student.

[fuzzyfuzzyfungus]

Unfortunately, aside from the intervening decades having led to surprisingly little progress in deciding what 'CS' should actually include(in the sense of a degree, I assume that academic computer scientists have successfully held the line on the 'no, running windows update is not computer science' issue); people don't even have the decency to provide a cogent definition of what they are fretting about the presence or absence of in a CS curriculum.

'Cybersecurity". Ok, aside from 'cyber' being a denizen of the worst areas of buzzword hell; do you mean "good software engineering practices with regard to sanitizing inputs"? "How to grovel through IDS logs 101"? "How to not fuck up handling cryptographic keys?" "Side Channels and how to be paranoid enough about them"?

As is so often the case, it sounds like somebody needs to solve the problem between the keyboard and the chair before we can even begin to have a meaningful chat about whatever they say the problem is.

Re:It's been a while since I was a CS student.

[__aaclcg7560]

It's not like the IT departments are self educated.

Successful IT technicians are the ones who never stop learning. They put in their eight-hour day and go home to work on their technology projects, learn a certification or take night classes to advance themselves. The fastest way to commit professional suicide is to stop learning.

It would basically come down to "always run updated software, because that is what the teacher told us and apart from that, do as we like".

Written by someone who has never worked in a Fortune 500 IT department.

Proper security requires people, who actually understands the problem, which points towards the universities.

Here's the problem with the university education: most, if not all, people stop learning after they graduate from school because they're no longer in school.

I had two friends who graduated from CS programs at the state university, got jobs at major companies, worked seven years in the same position, and got laid off during the dot com bust. The took a six-month vacation while collecting unemployment benefits, figuring that they deserved it after working so many years in the industry. And then they couldn't find a job because their job skills were obsolete. Instead of going back to school, enrolling in a boot camp, or buying a book to teach themselves, they ran out of money and became drug store clerks. Fifteen years later they're still drug store clerks.

Another example. An IT manager at my work was responsible for imaging laptops. Been doing the job for 15 years since graduating from the university. Until he got a brand new Dell laptop that needed a replacement hard drive. He couldn't find the hard drive since it didn't have 2.5" hard drive bay. We told him that the hard drive was a solid state drive on a card, which he claimed was the wireless card and threw a fit when we pointed out the wireless card. That laptop sat in his office for six months before another manager pulled it out and sent it back to Dell under warranty.

Re:It's been a while since I was a CS student.

No. Sanitizing inputs and encrypting sensitive data are still practical concerns, while a university program should be focused on theory. Trade schools or *gasp* on-the-job-training (i.e., apprenticeships) would be better places for it.

We won't let the med school graduate operate autonomously without going through a residency program, because during the course of their career, they could impact thousands of lives. The recent CS grad, on the other hand, is expected to hit the ground running in writing the medical software that will impact potentially millions of lives.

Re:It's been a while since I was a CS student.

[HiThere]

I don't know. When I took computer science, it was algorithm design and numerical analysis. Security wasn't even mentioned. But that was before public access to the Internet, so perhaps things are different now.

However, my expectation would be that security wouldn't be handled under Computer Science. And since Computer Engineering was a major under Electrical Engineering, and included things like designing half-adders, that doesn't sound like the right place either.

Perhaps there needs to be an Information Technologies major that WOULD be an appropriate home for computer security. The OS specific parts, though, would be a bugger even for that major. Linux seems pretty stable, but what would you put in a course on MSWindows security? That wouldn't change with the next version? (OK, I haven't used MSWind for over a decade...perhaps there is something reasonable.) It seems as if OS specific security should be covered under multiple "short courses" about a month long as a second or third year class in the IT major.

Re:It's been a while since I was a CS student.

[Darinbob]

Sanitizing inputs and such, that's programming, not computer science. Also if you want to be good at cyber security you need math. The subject is more of a graduate level one in many ways, though I agree familiarity with it is important. For the average student cyber security will be more of a rote memorization class rather than one that teaches real understanding of the topics.

Re:It's been a while since I was a CS student.

[aussersterne]

When I was in CS school, it had very little to do with "code" and everything to do with math and theory. CS was the science wing of computation fields. The coding was for the computer engineering and information technology students.

Re:It's been a while since I was a CS student.

[aussersterne]

So why not teach it where the programmers are being taught, in a CE or IT department, rather than in CS, where there is relatively little work on "programming" as such?

Re:It's been a while since I was a CS student.

[aussersterne]

In my CS program, it was the same—huge on math and theory and the mathematical representation of concepts, problems, and sequences/patterns. Very little coding. Just enough code in year one to get you able to actually touch keyboards and do the math, but otherwise, very little "applied" technology of any kind.

That, we were told, belonged to the engineering wing over in computer engineering, who was to worry about implementation of CS concepts and theory, and to the applied/operations wing over in information technology, who was to worry about day-to-day computation in the real world using the implementations CS had designed. We even had a 1xx class on the divisions and consequences, etc.:

Sequence: CS = Research/Theory -> CE = Implementation -> IT = Real-world application of implementation -> Feedback sent back up the chain

Re:It's been a while since I was a CS student.

[__aaclcg7560]

So why not teach it where the programmers are being taught, in a CE or IT department, rather than in CS, where there is relatively little work on "programming" as such?

Because when I think of the term "computer science," or more precisely the initials "CS," I believe it covers every aspect of computers from the pie in the sky theories to the power button. Apparently, this is a common misconception that many people outside the university system have.

To paraphrase Robert Kiyosaki of "Rich Dad, Poor Dad" fame: the higher you go for education degrees, the less you learn.

Translations: universities are pushing out specialists when this country need generalists.

Re: It's been a while since I was a CS student.

I humbly disagree. Programming is applied computer science, in the same way engineering is an apppied science. We're expecting these CS graduates to go fourth and do something, and a good portion of that is in implementation.
Good engineers need to understand the limitations of their theoretical knowledge, and how to apply sound principals in a real world, practical manner. For instance, I've seen blueprints which required a weld at the bottom of a 6 tall square tube, which was 4 inches in diameter. When called on his design, the engineer did not understand this was impossible to do without basically inventing a machine and process to do it. This individual had Zero real world experience, or common sense. Seems this is not uncommon amongst other professions? Maybe apprenticeships need to be revisited?

Re: It's been a while since I was a CS student.

[110010001000]

That isn't CS, that is programming.

Re:It's been a while since I was a CS student.

[aussersterne]

I have no problem with the idea that there ought to be courses on security, just not in CS where (at least when I was a student) that's not really what they do. They're in the business of figuring out/proving/disproving whether things *can be computed in theory* and how, in theory.

Security just isn't a question that has anything to do with that, and these are people that write comparatively little code. It's not what the discipline is about.

There *are* people that spend their time learning how to code, and how to code properly for real-world situations and deployment (which is precisely where security becomes an issue). That's my point. Security ought to be taught where people are actually learning to code, deploy, and operate. It's a serious, rigorous field of its own. It just doesn't happen to be computer science (which, if it helps you, could just as easily be called "computation theory").

Re:It's been a while since I was a CS student.

[HornWumpus]

So basically you're saying 99% of people studying CS should be studying something else?

CS has expanded beyond it's math roots. Not all CS even comes out of math departments. Some CS is taught out of the business school (spit). Never hire those people.

If you want to complain about CS majors who program, you should contrast them with CS majors who don't...that is one useless bunch of air thieves.

IMHO you should get a pretty good handle on programming with self study in high school or before, if you want to study CS, CompE, EE or any science that will require you to use a computer.

Re: It's been a while since I was a CS student.

[WarJolt]

The problem is Cybersecurity is it's a mindset. You can't just give one class on the subject. Database classes are not required in undergraduate programs and SQL injections aren't mentioned when your class is more focused on relational algebra.

About 1/5 of that class needs no explanation and 4/5 would claim to understand it if explained to them, but never think about it once they graduate.

Either you get it immediately or it needs to be pound into you at the work place. Many work places have mechanisms in place to verify these vulnerabilities are not introduced. Others do not. I think that's a critical flaw.

Re: It's been a while since I was a CS student.

[retchdog]

Who will go first, second, and third?

Re:It's been a while since I was a CS student.

[willy_me]

Might I suggest security courses taught as a branch of software engineering? One would learn to integrate security fundamentals within the basic design of an application. Much better then bolting it on after the fact. And those security fundamentals, and the way they are used, will not change. Implementations will - but a degree should be about the fundamentals and not said implementations.

Software engineering is typically taught as a subset of computer science so I do not see a problem with such credits being used for a CS degree. But any security related classes should be optional because as you mentioned - computer science is a science - not engineering.

Re: It's been a while since I was a CS student.

[johnsmithperson123]

It's the difference between securing a bank from robbers and manufacturing the vault.

Re: It's been a while since I was a CS student.

[johnsmithperson123]

It's got better since LanMan and the Ping of Death. Windows security is summed up as this: 1. Always use the latest version of Windows. 2. Don't use IE. 3. Use 2-3 antimalware programs. 4. Always check installers thoroughly. This is miserable from my point of view after having to do no work in Linux and little in OS X for security. I swear, I forgot to check the stupid little boxes on installers enough to set my search engine to Yahoo five times and install at least 3 dumb toolbars.

Re: It's been a while since I was a CS student.

[__aaclcg7560]

I swear, I forgot to check the stupid little boxes on installers enough to set my search engine to Yahoo five times and install at least 3 dumb toolbars.

Uninstalling those toolbars was the bane of my existence as a help desk technician during the 2000's.

Re: It's been a while since I was a CS student.

[Cassini2]

We're expecting these CS graduates to go fourth and do something, ...

Historically, universities were about perpetuating knowledge and the advancement of knowledge. Apprenticeships and professional programs are where people learn do to something practical. Universities were the hallowed halls of pure learning.

In the beginning, no one foresaw that a pure math specialization would have huge practical use. Some of the greats in computer science never thought their work would ever see use outside of the math department. If memory serves, Bool was extremely pleased that Boolean Algebra existed as a theoretical exercise that would never have a practical application.

Re:It's been a while since I was a CS student.

It's not like the IT departments are self educated.

Successful IT technicians are the ones who never stop learning. They put in their eight-hour day and go home to work on their technology projects, learn a certification or take night classes to advance themselves. The fastest way to commit professional suicide is to stop learning.

Successful companies allow for on the job training. Unless they are switching careers or making up for lost time, nobody should ever be expected to bring work home just to succeed.

IT people are among the most creative and innovative people in the workforce. They should be involved in many fields, arts, maths, astronomy, physics, robotics, etc... or just their families honestly, not more extremely inefficient work in an industry that doesn't value people's time.

Want to teach yourself how to solve problems with scripts or write slunk queries? Take a couple days AT WORK to teach yourself, and ask someone who knows.
We need to move past the elitist "I had to learn it and it sucked, so screw you" mentality in IT.
We should reward people who take a few days longer on a project to learn how to write a script for it, learn the company's documentation tools, or learn how to put a Splunk dashboard together to monitor it. Don't ever expect people to work for you all day and go home and teach themselves how to do it better!

Re:It's been a while since I was a CS student.

[aussersterne]

This is what I think.

It should be required for anyone getting a degree that recommends their ability to write code and create systems.

It should not be required just because someone is getting a *computer science* degree, because (unless the science has completely disappeared) a lot of those guys would have to *first* learn how to code, *then* learn about deployment and networks and users, *then* learn security, and it would take serious time away from the actual thrust of their degree.

People are posting upthread about things being different now, about the engineering wing now being a part of many CS programs, which was not the case when I was in the field. So maybe a dual-track degree is in order. To get the degree with the software engineering emphasis, yes, you have to learn about security. But to get the degree on computational theory? It makes no sense to me, except in the case of those that want to work on cryptographic theory/information theory and so on.

For a lot of the guys I went to school with, it would just make no sense. They'd have to first learn to code before they learned about coding securely. Or they'd have to first learn about networks before they could learn about securing them. And so on. They were busy with problems totally unrelated to implementation and deployment, and it would turn the degree that they got into another degree entirely as they spent years learning how to build stuff, instead of how to rigorously conceptually represent stuff and how to rigorously prove stuff.

When I think "computer science," programmers are the farthest thing from my mind. I imagine blackboards and chalk and lots and lots of scribbling. Not writing well-formed PHP+SQL code. Like, totally separate universes.

Re:It's been a while since I was a CS student.

[TapeCutter]

When I was a lab tutor teaching C to 2nd year CS students in the early 90's the standard "sanitising inputs" lesson was me randomly bashing their keyboard and reducing their mark if it crashed. Turning theory into practice is what lab classes and assignments are supposed to be all about, unfortunately many of the people who teach lab classes do not have any real world experience. Having said that, the role of a university should be to educate people, it should not be expected to relive industry of their responsibility to train their workers.

Re:It's been a while since I was a CS student.

[gweihir]

As many of these people will do system architectures and design and some of them will do implementation, I must strongly disagree. Trying to retrofit security somehow to things that were designed without is the core reason for today's mess.

Re:It's been a while since I was a CS student.

[TheRaven64]

Even if you're doing a very theoretical CS course, cryptography and information theory should be covered and these are both very relevant to security. Complexity theory and game theory are core parts of computer science and are also fundamental to computer security (what is the worst-case behaviour of this algorithm in the presence of an adversary?). You might not be taught things labelled security, but the fundamental concepts should be there.

Re:It's been a while since I was a CS student.

[ole_timer]

it should be everywhere, but especially in cs. as I tell my graduate students "designed and built by humans always has bugs"

Re:It's been a while since I was a CS student.

[fuzzyfuzzyfungus]

The internet certainly changes 'security' in some ways(eg. this may not be a 'CS' problem; but "you have 1 million users; many of them with room-temperature IQs or horribly malware riddled home computers; you need some heuristics to detect compromised accounts aggressively enough that we don't get blacklisted and the world's major email systems won't touch us; but not so aggressively that we piss off customers with false positives or need to expand our customer service department by a factor of ten" is the sort of security-related question that really only comes up with the scale that the internet allows; and isn't obviously solvable with even the most skilled and rigorous adherence to secure software engineering practices); but, line with the general conceptual confusion, it's not entirely clear why "cybersecurity" is a different thing from "writing correct, robust, software"(which may count as 'CS', may count as 'Software Engineering', depending on the school; but is only different on the internet because your failure to do so will bite you faster, harder, and on a larger scale than it would have pre-internet).

There are operational and systems administration issues that are definitely different because of the internet(since those are in large part about logistics; and scale matters a lot in logistics); but from the perspective of a curriculum somewhere on the continuum between 'CS' and 'Software Engineering'; I'm not really sure how the 'cyber' part becomes relevant. The internet is a mean place because anyone in the world gets a chance to exploit your mistakes; but "understanding what constitutes 'a mistake' in a computer program" or "best practices for not making mistakes even when trying to do things that aren't just toy projects" don't change just because the penalties are swifter and harsher.

Re:It's been a while since I was a CS student.

[parkinglot777]

Turning theory into practice is what lab classes and assignments are supposed to be all about, ...

There is no "lab" classes for junior and senior core courses in CS afaik. You have to find your own time working on assignment/project. Computer security is more on practical aspect, not theory. Of course, there are many courses in CS that can be used as building blocks in security, but that does not mean CS should be teaching a direct course for computer security. Furthermore, computer security is a very deep subject to be taught and would require a lot more knowledge before one can take the course. The one needs to have vast and quite deep knowledge before the one could understand what should be done. In other words, computer security is NOT as simple as many people think.

Most, if not all, assignments in school have certain specifications. When a teacher/professor assign an assignment/project to you, what you need to do is to meet those objectives in order to get full credit. Adding more specifications are not required and may not earn you extra credits. Also, test crashing is NOT security but rather to find bugs in your program. Crashing != Security. Sanitising input is NOT for security purpose but to ensure that your program can and will work properly. Security is just a side effect.

Re:It's been a while since I was a CS student.

[__aaclcg7560]

Successful companies allow for on the job training.

Most Fortune 500 companies do not provide training. Most of my on the job training has been, "Here's your situation, deal with it and good luck!"

Unless they are switching careers or making up for lost time, nobody should ever be expected to bring work home just to succeed.

The training at home is not for the current job, it's for the next job that I'm planning to get. My current job doesn't require Python, Linux or project management. Those are things I wish to know for the next job in three to five years from now.

We need to move past the elitist "I had to learn it and it sucked, so screw you" mentality in IT.

I did that for six years as a video game tester. For the first three years I was the liaison between the QA and IT departments because IT ran a Diablo server that the testers weren't allowed to play on and IT was banned from servicing the QA computers. When I was a lead tester for three years, I went back to school to learn computer programming and get my technical certifications for IT.

Re: It's been a while since I was a CS student.

[SecurityGuy]

Historically, universities were about perpetuating knowledge and the advancement of knowledge.

I've heard this often, but people need to accept that this is no longer the case. We're not talking about the sons of the aristocracy anymore. John and Jane Q. Public don't go to university to advance knowledge, they go to get a job. At it's most ridiculous, some people go to University to play sports without any actual use for the degree they'll get (and sometimes earn) at all.

Re:It's been a while since I was a CS student.

[__aaclcg7560]

In most situations, certificates are almost worthless, and most classes teach you information without context and that will be old in a few years.

If you're doing IT contract work, certificates are a checklist requirement for HR recruiters. As for my programming classes, I never learned a particular programming language but I do remember all the programming structures. I can write a program in pseudo code and then figure out the syntax of a programming language that I never worked with to implement the program.

I have noticed there are many problems that are hard enough that if someone has to ask how to do something, they shouldn't ever do it.

I had that problem with programming. I didn't understand it until I've taken all of my mathematic classes in college, worked in the industry for a decade, and then went back to college to learn programming.

Re:It's been a while since I was a CS student.

[aussersterne]

Um, yes, pen and paper and chalk and chakboard. And math and proofs. Are you lowing mathematics to the lower of "fucking philosophy or gender studies?"

Re:It's been a while since I was a CS student.

[aussersterne]

Er, "to the level of."

After reading this thread, I think a lot of Slashdot posters have no idea what "computer science" as a science actually is.

They think AI researchers or computer vision folks started by sitting down at an Apple IIe and banging out:

"10 REM This is my first crack at an AI program. Let's see how it goes."

Re:It's been a while since I was a CS student.

[aussersterne]

I think there are two fundamental concepts here:

1) Understanding information as representation (cryptography here) and eliminating conceptual ambiguity/unpredictability in algorithmics (security "flaws" here). These fundamentals are absolutely part of the basics of CS, but the emphasis is more on correctness: understanding the nature, reversibility, and properties of the representation and the invariants and rigor of the algorithmics. This is good CS in general, for all cases, and you're right, it's also the fundamentals of security.

But I think when they say "teach security" they actually mean:

2) Harden designed and deployed systems against common vectors for attack in real-world situations.

This requires not just the items from (1) but also a familiarity with particular architectures, implementations, protocols, languages, and conventions and conditions of user thought and behavior. So while there is overlap, I suspect that calls for "teaching security" aren't going to be satisfied with cryptographic theory and parsimonious, sound, and unambiguous algorithmics with strong assumption and bounds checking. Most policy people wouldn't consider that to be "teaching computer security."

Top 10 programs are for prepping for research

Why would it make sense for them to require a cybersecurity course? That's an implementation detail.

These "top 10 programs" are for preparation for entering graduate school and then going into either academic or industry research work on hard, cutting edge problems, like building new algorithms and so forth. Actually making use of the research and getting a product to market that's reliable and secure can be done by ordinary engineers.

Re:Top 10 programs are for prepping for research

[Hognoxious]

Why would it make sense for them to require a cybersecurity course? That's an implementation detail.

Well said. It's as bad as expecting an EE to know how to change a fuse.

Re:Top 10 programs are for prepping for research

[retchdog]

Maybe that's because there are hardly any engineers, "ordinary" or not, in the software industry.

Re:Top 10 programs are for prepping for research

[gweihir]

I strongly disagree. Security is never a "detail". Security must have strong influence on architecture and design, it must take into account and influence algorithms, interfaces, technologies, etc. used, as otherwise it will never work well. Your mind-set is precisely the reason why we have today's mess.

Re: Top 10 programs are for prepping for research

[gweihir]

That would likely improve things significantly.

Re:Top 10 programs are for prepping for research

[SecurityGuy]

Why would it make sense for them to require a cybersecurity course? That's an implementation detail.

And this, in a nutshell, is why security is still a mess after all these years. It's always unimportant, an afterthought, or someone else's job.

Most of the security industry exists because software developers did a bad job. In fairness, it's not necessarily their fault. Commercial operating systems are insecure because people want features and a low price, not security, for example.

"Cybersecurity?"

Pretty sure you won'tt find that course in the curriculum of any serious computer science degree run by a math department. "Cybersecurity" would be something that a 15 year old on a bad 80s science fiction tv show would take at the "Academy".

System security is going to be integral with any serious computer science program. If you don't understand the basics you're not going to make it very far.

..Robert Thomas, CEO of CloudPassage, told SCMagazine.com.

Uh, huh. CloudPassage... right...: "CloudPassage is the leader in software-defined security (SDSec) with a mission of addressing two top inhibitors to cloud infrastructure adoption—security and compliance."

Tell you what Robert, why don't you train your own employees to match your marketing goals, leave the actual computer science to the math departments of post secondary degree granting institutions. OK?

Re:"Cybersecurity?"

[__aaclcg7560]

You might be astonished how many "serious computer science programs" no longer teach the basics.

When I worked the Google help desk in 2008, I had to walk a newly hired CS graduate through the process of turning on his own PC. He was astonished that no one was standing around to turn on his computer like they do at the university computer lab. I'm always surprised by how little computer scientists know about hardware.

Re:"Cybersecurity?"

[Lumpy]

Most CS grads are utterly useless at troubleshooting or critical thinking as well. They don't teach that anymore. They make great code monkeys that just do what they are told though.

The Good ones learn in about 2 years of real world that the ones that think outside the box and try to figure things out for themselves end up at the top of the pile.

Re:"Cybersecurity?"

[__aaclcg7560]

You bloody moron, that is pretty much verbatim what i saw on another thread.

If you checked the name of the poster, it's my comment.

Either you stole it, or you are spamming your shitty anecdotes all over the web.

This is Slashdot. You must be new around here.

You and ShanghaiBill should get together and play cracker while you decide how best to act like complete belligerent pricks.

I do love trolling the trolls on Slashdot.

Re:"Cybersecurity?"

[HiThere]

Which is why I often think that the first class in university computing should be assembler. Possibly MIX or some other really simple virtual machine. (What I'd really like is a virtual IBM 7090, or possibly a bit earlier in that series, but I've never seen one. I virtual Apple ][ would also be good, the i6502 was a nice simple machine. But Apple would probably complain, while the IBM 7090 is out of trademark and patent protection.)

Re:"Cybersecurity?"

[__aaclcg7560]

I virtual Apple ][ would also be good, the i6502 was a nice simple machine. But Apple would probably complain, while the IBM 7090 is out of trademark and patent protection.

The 8-bit computers are still popular with electronic and programming hobbyists. Here are links for the Apple ][ emulator and Apple DOS source code.

http://www.lampefamily.us/jonathan/applepc_emulator/
http://www.computerhistory.org/atchm/apple-ii-dos-source-code/

Re:"Cybersecurity?"

[__aaclcg7560]

A "teaching language" might not be bad either, but it somehow not the greatest motivator to learn a toy language.

I heard Python has become a teaching language at the community college level.

What they really ended up with was a bunch of students hating Java, then learning C, loving it and absolutely refused to go back to Java.

That's what happened to me. My community college couldn't afford to the Microsoft site license to teach C/C++ on Visual Studios (a requirement requested by local employers). I had to learn all flavors of Java in my programming classes. The Linux instructor taught us some command line C/C++ in his classes. When the site license got renewed, none of the lab computers could run MS Visual Studios .NET and it took a while to get new computers. I never touched Java after graduating. I use Python and sometimes C for my programs.

Re:"Cybersecurity?"

[__aaclcg7560]

However, it is the concern of Information Technology which is a distinct discipline to CS and should not be conflated.

The Fortune 500 companies I worked for has policies that prohibits help desk and desktop techs from remotely turning on a workstation for a user. Most of the time these policies apply to users who are working from home and have a secondary workstation that's turned off. It's not IT's job to turn on their computers. If a newly hired CS graduate doesn't know how to turn on a workstation (most have a power button in front), he can sit around and do nothing. It's HR problem, not an IT problem.

Re:"Cybersecurity?"

[complete+loony]

How about a reimplementation of a Commodore C65?

Re:"Cybersecurity?"

[__aaclcg7560]

In that case, it would certainly be expected that the CS graduate be capable of powering on a workstation.

Uh, no. If a CS graduate can't turn on his own workstation, I'll have to question his qualifications for the job.

I don't expect any computer scientist to have any training in singular or networked systems administration.

Turning on a workstation isn't a system admin task.

Re:"Cybersecurity?"

[__aaclcg7560]

You just stole that quoted phrase from the GP! Give it back now you asshole!

Comments like this is why I think ACs should be abolished from Slashdot. :P

Re:"Cybersecurity?"

[HiThere]

C has it's points, but it doesn't give you the same understanding that a nice simple assembler does.

Please note: I'm not talking about an assembler for current chips. That's more complex than C, and harder to wrap your mind around. I'm talking about one that is SIMPLE. Which is why I mentioned MIX and the IBM 7090. Even the Apple ][ assembler is more complex than is ideal. And the M6800 assembler was simpler than the Z80 assembler, but I'm not sure about the i8080, it might have been just as simple.

But NO paging, and it's desirable to only have couple of registers. Those are advanced concepts, and most people don't get any advantage to compensate for the additional complexity.

Please note, I'm not talking about a full semester class in assembler. Probably only a month of the first class. Then transition to C as the next simpler language. (The complexity of C comes when you start using libraries, it's not in the basic language.) After a couple of months of that you can head in nearly any direction. You've got the foundations in place.

What was the purpose of the study?

[kuperman]

As a college professor and computer security researcher, this tidbit certainly caught my eye. There is a growing awareness of computer security and many schools will push the content throughout the curriculum. See the ACM's Computer Science Curricula 2013 for content areas and possible implementations.

Looking at the article, the final paragraph explains some things:

CloudPassage, meanwhile, also is reaching out to universities: it announced today that it will offer free CloudPassage Halo security-as-a-service platform accounts to US computer science programs as well as instructional templates, tutorials, and support. “They can use our infrastructure and products as an illustration, to get some experience,” CloudPassage’s Thomas says.

So, a company I've never heard of issues a press release that they did a "study" (i.e., hired a consultant to look through college course catalogs) that there is a lack in "cybersecurity education" (without actually testing what graduates of those programs know). And look, they are prepared to donate their niche market tools to any school that is willing to use them in required training courses.

I hate being so cynical, but this just reads as a PR move to gain publicity for a tech company.

Re:What was the purpose of the study?

[__aaclcg7560]

And look, they are prepared to donate their niche market tools to any school that is willing to use them in required training courses.

If you want your technology to become the industry standard, you need to capture your users when they're young and don't know better. SUN Microsystems, Apple and Microsoft have done that for years by donating or selling products at low prices.

I hate being so cynical, but this just reads as a PR move to gain publicity for a tech company.

A common practice among many businesses to get attention to their products.

Re:What was the purpose of the study?

[tomhath]

I hate being so cynical, but this just reads as a PR move to gain publicity for a tech company./

And then get it posted as a slashdot article. Even more publicity (free or otherwise).

Re:What was the purpose of the study?

[geek]

You aren't being cynical. This is dead on. I work as a threat intelligence analyst and engineer for a fortune 500 IT department. We have a revolving door of products sold to us in just this way that our exec team falls for. The cyber security biz is rife with snake oil salesmen selling the latest and greatest. I showed my CSO just how bad it was by bringing him into 5 different vendor meetings where we were sold the same exact buzz word salad "They're already in you're network! The average detection takes 18 months!" etc etc.

Most of it is bullshit. Luckily I have a new CTO that gets it. Now maybe we can spend less money on vendors and contractors and more our existing personel.

There's little point to such a course.

[shess]

I'm entirely serious. I've been blessed to work with some of the best software engineers in industry for a few decades, now, and I have come to the conclusion that security is simply a very hard problem, right there with locking and storing data. Talented engineers routinely write themselves insecure code and defend their code when you point out the problems, right up until you describe how to break it. At the university level, very few students will have the experience necessary to understand security issues except as a theoretical problem which likely happens to other people. Industry would receive far more benefit from things like courses on code testing.

Re:There's little point to such a course.

[HiThere]

Security *is* a very hard problem, and if you insist on perfection impossible. This doesn't mean it isn't worth trying for.

OTOH, some "security" practices are just stupid. E.g., change your password every month to a new alphabetic string longer than 8 characters containing at least one punctuation character and at least one digit. And no repetition. That's a guaranteed recipe for work-arounds that break security.

Re:There's little point to such a course.

[gweihir]

That is precisely the point: Engineers and developers with no understanding of IT security always think it is easy and then mess it up badly. Teaching them something about it will make at least the bright ones realize that it is not easy and that they should get expert help when building something that requires security.

Because "professors" dont have a clue about it.

[Lumpy]

Cybersecurity experts are NOT professors with multiple PHD's. It's a waste of time to learn anything but the basics from those guys at unholy high dollars per hour colleges charge.

Re:Because "professors" dont have a clue about it.

[ark1]

How many prominent cryptographers do you know without advanced education?

Re:Because "professors" dont have a clue about it.

[Lumpy]

And all of them are 100% useless in computer security. They are great at encryption, but they suck as bad as a soccer mom at keeping a hacker out of the network.

Alarming? Perhaps not.

[mlookaba]

"The alarming study also reveals that only one (University of Alabama) out of the 121 schools required three or more cybersecurity classes to graduate."

This is an excellent example of tailoring a news story to fit a goal. One university (Alabama) requires three security classes to graduate, so that was picked as the benchmark, and obviously all other schools would fall short. Nothing newsworthy was imparted by that little bit of information.

Computer security certainly is an issue, but it won't be solved by college classes, for the same reason that time/date and character encoding issues will persist until the end of time. Sorry guys.

Computer Science vs. Software Engineering

[blindseer]

I believe that many misunderstand what computer science is and has been in the past. A "science" is a organized study of a field, typically the behavior and structure of the elements in that field. Therefore computer science is a rigorous study of how computers work, should work, could work in the future, and the physics and mathematics behind it. It's a field of applied math and physics. This also means many specializations within that field. One may want to study the mathematical difficulty of an encryption algorithm, or the ability to detect the information transmitted down a data path by an outside observer, both with implications on security but not necessarily a "cybersecurity" study.

Software engineering is the application of the engineering process to develop quality software. This includes a background in computer science to some extent but not to the rigor that a computer scientist might get. This would include the study of possible failure points and the means to mitigate them. In this field one might think that a class on "cybersecurity" should be taken since a quality software product should be secure, or one might assume that people would be taught that checking data inputs and outputs, and moving data in a way that could not be seen and/or altered by an outside entity as a basic premise of writing software correctly.

I took computer engineering in college some time ago. I'm now back in college part time because I realized that my education from then did not include a lot of things that have changed since then. One big change is that "software engineering" was not a common term or even a field of study then. My first time through college I had a lot of computer science students in my classes because there was a lot of crossover in course requirements between computer engineering and computer science. I realized real quick that while I was taking classes on the engineering process the computer science people were taking a foreign language. While I was taking a math course on numerical calculus the computer science students were taking history.

Computer science is a liberal arts program, or at least is in most every university I've seen, and therefore it meets the requirements of a typical liberal arts program. They study a wide variety of fields with an emphasis on the ways a computer works. If you want to see people learn how to write quality software then they need to get an engineering education.

Don't get me wrong, I've seen computer science majors write very good software, and I've seen engineers fail badly. I'm saying let computer science be computer science. If we make computer scientists take cybersecurity courses then we distract from people that take computer science to become historians, algorithm gurus, professors, and mathematicians. Roll cybersecurity into every software engineering class in a university. If a student declares a variable as globally accessible when it should not then that student should lose points on their assignment. If a student does not check the bounds of an input then dock points. If a student doesn't allocate and clear memory properly, points lost. Properly engineered software is inherently secure.

I think that a lack of a cybersecurity course requirement in computer science programs is not a bug, it's a feature. If you want to discuss the lack of cybersecurity in software engineering programs then I'll listen.

Re:Computer Science vs. Software Engineering

[Octorian]

Everyone on Slashdot keeps saying things like this. But in the real world, the degree everyone actually doing software engineering gets is... Computer Science.

That's not going to change until Software Engineering (or similar) is an actual degree offered by a large number of schools, and sought by companies overtly when doing college hiring. (Yes, I know some schools offer a degree with that name, but its not the common mainstream standard degree for software development.)

Re:Computer Science vs. Software Engineering

[blindseer]

Sanitizing unit inputs is a beginning, but it's not the end of secure software design.

Of course. That is why the basics of well written software should be part of the assignment but not overshadow it. In the beginning a student should be, for example, taught things like how to grab input from a keyboard and then the next step should be how to check for invalid input. Then show how to filter out bad characters. Then more, and more, and so on.

Things like validating inputs should be taught from the start and be a part of everything that the student writes. As the student progresses to more complex programs then the instructor should expect more in the ways of proper coding techniques, documentation, and so forth. We don't need to have a class on cyber security (and I'm starting to hate that term) but I'd think it is appropriate to instruct students on how to do some basics of writing good code from the very beginning and keep that as an aspect of writing code at every level of their education.

The very subtle interactions between portions of code that you describe may be something best left for on the job training, graduate school level courses in cyber security and/or quality control, or just for those students that choose to emphasize in that aspect of programming as an undergrad. This is not something that I feel all students in computer science need to know at an undergrad level.

Re:Computer Science vs. Software Engineering

[Tablizer]

"Computer Studies" is the most generic term I have been able to think of to cover a sufficient gamut.

BUT it sounds too fluffy, closer to liberal arts. People pay an arm and leg for college, and they don't want a fluffy-sounding result.

People won't attend a college who gives them a fluffy-sounding degree when they have reasonable alternatives. They fear it makes their resume look weak.

Thus, for appearance/marketing reasons, "Computer Science" won't go away any time soon. Humans are that way.

Re:defense !== offense

[__aaclcg7560]

[...] any joker that can pass a security clearance [...]

I'm going to guess that you never had a government security clearance. When I got my government IT job, my two-hour investigative background interview lasted four hours because of two potential red flags. The first red flag was that I lived in the same apartment for 10+ years. Most people on average moved every few years. The second red flag was working multiple jobs for seven days a week for two years after being unemployed for two years (2009-2010), underemployed for six months (working 20 hours per month), and filing for chapter seven bankruptcy in 2011. If you have more than one job at a time, you must have money problems. So the 20+ contact jobs that lasted one day to nine months during that time had to be checked out by the government.

As for the jokers who got through the process, started work and thought they could slack off because it was a "gubermint" job, they were quickly fired and shocked to find themselves unemployed. Most of my coworkers are ex-military with zero tolerance for slackers.

There's no need to teach CS grads about security.

[johnnys]

There's no need to teach CS grads about security. Here's why:

If a cyber security breach happens, then the company that produced and sold the vulnerable software is never responsible. All end user rights have been signed away in a EULA or some other crooked scheme, so the end user gets to shoulder all the risk.

Since the company sees no impact of a cybersecurity incident, the company execs take no hit. Since they take no hit, the programmers and CS grads who wrote the crap software that caused the problem in the first place also see no impact.

Did people stop shopping at Target? Nope. Are any of the companies that have recently been breached seen senior executives going to jail? Nope. Maybe a few people got fired and stock prices temporarily dipped, but there's so many of these breaches lately that they are all getting lost in the noise.

So there's no point in teaching the CS grads anything about cybersecurity, since it doesn't mean anything to them. It doesn't make them any money and the companies that will be hiring them don't give a damn either.

Business as Usual

[Princeofcups]

I've never met a project manager or engineer who spent any time designing in proper security. That would delay the deliverable. Security is an afterthought, and left for the deployment phase, usually after the first failed PCI scan. Then the sysadmins and network teams get to scramble to plug the holes.

Re:Business as Usual

[gweihir]

While true, more and more often the sysadmin and networking teams can do very little and sometimes nothing at all, because it is a problem typically located in the application-side of things. And there, the complete lack of security-knowledge in those designing and writing the applications is the core problem.

US Navy Seeks Cyber Warfare Engineers

[blindseer]

At the university I was e-mailed a flyer on how the US Navy is recruiting students in computer science and related fields into an officer program in their cyber warfare division. This indicates to me that they will offer training in cyber security to those that qualify.

This also indicates to me that many other employers understand that cyber security is not part of a typical undergraduate CS program, and will teach those people on the job if that is a required skill. I recall talking to recruiters for big businesses on what they look for in software developers, and they want engineers. A computer science major might know a lot of programming languages and so on but learning another programming language is something that can be done easily on the job. What is difficult for recruiters is finding people with a good grasp of proper engineering and enough math to understand how to make a computer do what needs to be done efficiently.

Seems to me that cyber security should lie in the realm of on the job training and/or graduate school. Also, students that learn good programming technique should be writing inherently secure software. Things like good memory management, properly protecting variables, and well documented code should make a program secure.

Another thing is that there is a lot of code written to perform relatively trivial tasks where security is simply not a concern. Code on embedded systems just don't have any attack vectors, or if they do it's a matter of things like you have to "reboot" a child's toy because it got stuck in an infinite loop. Code written for industry will be used by people which one would hope are trained in its use. This code may have to allow for things that might be "insecure" for work to get done. If the person using "insecure" code ends up making a welding robot weld it's own arm to the floor then it's the operator to blame.

Re:US Navy Seeks Cyber Warfare Engineers

This also indicates to me that many other employers understand that cyber security is not part of a typical undergraduate CS program, and will teach those people on the job if that is a required skill.

You're implying that there are software engineering jobs for which security is somehow not a required skill. Maybe there are some situations where your software will only ever be used "in-house", all of the data you work with comes from a completely trusted source, and none of it is in any way private or confidential... but that's pretty unusual, and one would have to be fairly knowledgeable about information security in order to truthfully make that claim.

As a rule, if you are writing software, you ought to be thinking about security.

Things like good memory management, properly protecting variables, and well documented code should make a program secure.

Very wrong, completely wrong, and mostly wrong. Certainly those are good programming practices and will result in more efficient, more stable, and more maintainable code. But security is not about any of those things. Security means thinking about the program in a way that is contrary to most people's intuition: rather than thinking "what are the expected inputs, what are the desired results, and how do I get from one to the other", you need to be constantly asking yourself "what are the conceivable inputs, what are the tolerable results, and how do I ensure that if the devil himself is controlling the inputs, the program will still behave appropriately".

Code on embedded systems just don't have any attack vectors, or if they do it's a matter of things like you have to "reboot" a child's toy because it got stuck in an infinite loop.

This I suppose I can buy, assuming that the device has no radios or other connections to networks, USB ports, external storage devices, etc. And no sensors with which it might be able to collect private data about the user.

Code written for industry will be used by people which one would hope are trained in its use.

But not necessarily trained in the intricacies of the software, or even necessarily computer-savvy in general. Punting your security problems to the user is okay only if the user is informed and capable of managing those problems themselves, which again is not a decision you, the programmer, can make without understanding those problems yourself.

This code may have to allow for things that might be "insecure" for work to get done. If the person using "insecure" code ends up making a welding robot weld it's own arm to the floor then it's the operator to blame.

Sounds great so long as the robot takes input directly from its operator, not from a file that might have come from some untrusted source, and so long as it contains no radios, network connections, external storage devices... remember Stuxnet?

Re:US Navy Seeks Cyber Warfare Engineers

[blindseer]

You're implying that there are software engineering jobs for which security is somehow not a required skill.

I'm quite certain I did not imply that, I stated it quite clearly and plainly. There are many software development jobs where training in cyber security is not required.

Also, I did not claim to give a complete list of all ways to write secure software. I also did not claim to give all vectors by which a program can be attacked.

one would have to be fairly knowledgeable about information security in order to truthfully make that claim.

I am knowledgeable on computer security. I have several IT security certifications and took training in several more. I have written code for some very secure systems, the kind that the government asks a lot of questions before they let you look at their software requirements.

As a rule, if you are writing software, you ought to be thinking about security.

No doubt, because that is just good software practice. As such this should be taught as part of writing good code, we don't need separate courses on information security. When information security rises to the level of stopping a determined attacker then I'd think that should be part of the on the job training, an optional course or set of courses for an undergrad, or a separate field of study perhaps at the graduate level. We have such programs at many schools, typically called "information assurance" or similar.

Re:US Navy Seeks Cyber Warfare Engineers

[Cederic]

Code on embedded systems just don't have any attack vectors

Oh, you naive fucking imbecile.

Conflict of interest

[Futurepower(R)]

Computer vulnerabilities make money for technology companies. Have an Android KitKat 4.4 phone? Sorry, no updates. Buy a new phone.

Most CS programs skip SQL

[EmperorOfCanada]

Keep in mind that most CS programs tend to be run with a bit of a revulsion to practical things. They argue that practical is the realm of CE not CS. Thus there will be classes in database design, as in how the guts of a data store will work, but nothing much on practical database usage. The theory (and not terribly wrong) is that by learning the guts it should be easy to learn the practical, if needed.

For me I would rather learn both as then the guts of the matter have some practical knowledge that might help it stick.

So it is no surprise that few teach practical cybersecurity, they probably do cover crypto courses where Diffie Hellman is examined in great detail.

My simple complaint is that few recent CS grads that I have met really can deliver useful code in quantity. When managing them I often find them reinventing the wheel. I will point to a python library that I want them to use in what should be a 40 line bit of code to do some very straightforward thing and a week later I find them beavering away in Haskell building a "state-machine". They will then argue that Python is too slow where I point out that my estimate is that the code will run every Friday at 3 am, will probably take 20 seconds and yet only needs to be done by opening on Monday. So even if I were to be wrong by a factor of 100 all is still good.

The code then runs in 8 seconds.

So while I am not at all shocked by no cybersecurity training, I do wish that minimally the schools would be a bit more practical so as to allow some of the abstract material have something to latch on to.

Re:Most CS programs skip SQL

[__aaclcg7560]

I will point to a python library that I want them to use in what should be a 40 line bit of code to do some very straightforward thing and a week later I find them beavering away in Haskell building a "state-machine".

A 40-line Python program shouldn't take a week to write. I can understand why CS graduates would wander off into a rabbit hole to write a Haskell state machine. What I don't understand why you didn't keep a closer eye on them to make sure they didn't dive into a rabbit hole in the first place.

Re:Most CS programs skip SQL

[Tablizer]

Keep in mind that most CS programs tend to be run with a bit of a revulsion to practical things.

They get "credit" for students who go on to academic research or cutting-edge projects. Being good at rank-and-file IT doesn't help the school reputation as much and thus they mostly ignore it.

It's a silly reputation game and too few call them on it. And it jacks up tuition to boot.

Re:Most CS programs skip SQL

[Tablizer]

I should have also pointed out that unless you go to one of the "elite" universities, like MIT or Cal-Tech, you will probably end up in rank-and-file IT whether you want to your not. There's only so many slots for cutting-edge research and academic positions. I bet at least half the IT students at the elite universities will also.

Re:Most CS programs skip SQL

[EmperorOfCanada]

I was deliberately handing out rope at a lynching party. This sort of crap had been an ongoing problem. It allowed me to boot him off the team and get an excellent replacement.

Re:Most CS programs skip SQL

[EmperorOfCanada]

As your second comment points out this mostly applies to elite students at elite institutions. Yet I see the same problem at both the elite and third rate CS universities.

My long standing experience is that most of the students who are fantastic programmers were fantastic programmers before they went to school while everyone else is learning about a linked list they are working on their own OS. Or have just submitted their umpteenth contribution to the Linux Kernel. Then they leave the university(potentially before graduating) and end up doing something really strange. Creating some crazy massively parallel processor design for a company that makes fibre optic comm gear. Or you read about them as one of the first employees at some company just bought out by Google for 8 zillion dollars.

Where I used to live had a 2nd rate university that had a PhD CS program. I knew one of the professors and he would often introduce me to graduate students. I would ask them what they were working on and after they would tell me I would either think (I always kept my mouth closed) "that sounds completely useless", or even more often, "I think I have downloaded that module to play with once."

It was things like getting a neural net to examine sonar data and find the optimal routing for underwater cables. Or it was totally abstract and was pretty much just really really hard discrete math that would poke some theoretical hole in bitcoin, a hole that I think was already known such as the 50% problem.

Re:Most CS programs skip SQL

[__aaclcg7560]

I was deliberately handing out rope at a lynching party. This sort of crap had been an ongoing problem. It allowed me to boot him off the team and get an excellent replacement.

I had a boss who tried to do that to me, but I kept a log book and documented everything. HR decided in my favor. His replacement told me stop documenting management actions and told him to bugger off. Many companies later, I still keep a log book and document everything.

Re:Most CS programs skip SQL

[EmperorOfCanada]

If this guy had logged his work it would have read.

Took 2 weeks to not even do 1 day's work. Ignored technical guidance from manager. Work given to co-worker who completed it in 1 day.

Took 2 weeks to not even do 1 day's work. Ignored technical guidance from manager. Work given to co-worker who completed it in 1 day.

Took 2 weeks to not even do 1 day's work. Ignored technical guidance from manager. Work given to co-worker who completed it in 1 day.

Took 2 weeks to not even do 1 day's work. Ignored technical guidance from manager. Work given to co-worker who completed it in 1 day.

Took 2 weeks to not even do 1 day's work. Ignored technical guidance from manager. Work given to co-worker who completed it in 1 day.

Took 2 weeks to not even do 1 day's work. Ignored technical guidance from manager. Work done by manager who did it in 20 minutes.

Kicked off team.

Re:Most CS programs skip SQL

[EmperorOfCanada]

One other thing. This guy has made me a whole hell of a lot of money. Every publicly traded company that he ever worked for since his departure I have made unholy large bets against. If their share price was $100 I would buy way out of the money options a year or so in the future betting that it would crack $50. I am not joking when I say that he has never let me down. Blackberry hired him early 2007, I bet a huge chunk of my portfolio on that with about a year until expiry. There isn't a whole lot of volume that far out so I was buying day after day, week after week. The whole time Blackberries stock climbed to crazy new heights, he got a promotion, and I kept buying. The stock tanked hard, so I checked to see if they had laid him off. I then kept buying and buying. Finally they laid him off so I stopped and waited until it was time and then turned my options into a huge profit. My only regret was to not have borrowed money to really make that bet.

I have another douche who I use who worked at Nortel and he made me a nice pile. The timing couldn't have been better. I heard through the grapevine he was hired there and I jumped on the options. The company tanked so fast that they gave him a severance before he had even moved there.

My theory is that when companies are so screwed up that they hire either of these two (among 4 others I watch on LinkedIn) that it categorically proves that the companies are rotten to the core. Any minor background check will show that people consider them to be gigantic useless tools. People who are actually anti-productive. I am little disappointed in that none of them are working for a public company for the last couple of years.

These guys aren't being hired into executive positions, so I don't attribute the companies tanking to their behaviour, but the fact that if they are hired, so must be so many other lumps of dung.

Typo: "implementations CE had designed"

[aussersterne]

should have been.

CS = math + theory
CE = programming + hardware
IT = deployment + operations

That's the way it was at my university back in the '90s. This was at a large school that is in what is now the PAC-12 conference. Each one was a separate, rigorous four-year degree.

Yeah, this.

[aussersterne]

At least in the CS school I attended, I don't think there were many people that could have "fixed a computer" or "written an application," even amongst the faculty, really. Their job was to answer the question "Can this real-world phenomenon, problem, or pattern be usefully symbolically represented for processing, and if so, how, and with what consequences?" If they were able to answer this question, they'd then toss it over to engineers in the CE department for "Can you design for us an apparatus or a program that carries out this kind of symbolic representation in the interest of computation?"

Two very separate fields.

Re:I am an unemployed security specialist.

[__aaclcg7560]

No one is spending any money on security, they just chuck it in as a line item on a job requirements sheet.

The federal government is spending money on computer security. That's how I got my current job in government IT. So many computers, so many problems. I thank Microsoft everyday for my job security.

im-practical

[h8sg8s]

Back in the day, I was taking an undergrad DB design course and asked the professor, "can you give an example of how tableau method is generalized in any commercial or open source DB program?" His response was, "why do you care, we study theory here.." CS academia is so stuck in the clouds of theory that the mere mention of a practical application for was reviled. Fast forward [mumble] years and it seems to be that way still.

Um, no shit

[rsilvergun]

Real computer science is just math with computers. This sounds like businesses are tired of having to pay for some extra specialized training they want which has little to no value outside of their exact use case. I'm seeing this a lot with colleges where more and more they exist to get you ready for one very specific job. That'd be peachy if that job lasted 50 years and then you retire but a lot of times it's so highly specialized you might have trouble finding work in a decade. Meanwhile you're still paying off the $100k of student loans it took to get that training.

When did the general population stop noticing crap like this?

Not wrong, but grads hired as programmers

[raymorris]

Absolutely computational theory is a different beast than most programming. HOWEVER, CS graduates don't generally work as theorists. They very often end up working as programmers, systems architects, etc. They come reasonably prepared- CS is certainly better preparation than my last two bosses had - one major in architecture and the other in electrical engineering. If we're going to teach them the fundamentals of programming and information engineering, we might include an awareness of security as part of those fundamentals.

Also, there's a lot of work to be done on the more theoretical side of security. Because programmers aren't perfect, wouldn't it be nice to have a provable sandbox, to know, based on mathematical proof, that no program run in some context X can possibly access a resource in some other context Y? How about proving that a set of library functions can't have buffer overflows, regardless of their input? Cryptology is of course all about theoretical, mathematical, "prove the computational complexity" type of thinking. It would be awesome to have an implementation of key exchange that's PROVEN correct.

Provable sandbox, or any provable security (librar

[raymorris]

Here's a hard problem that's very much in demand right now, that's 100% comp sci. Given that day-to-day programmers are in fact not perfect, it would be awesome for them to have provably secure libraries. Library functions that CAN'T result in a buffer overflow or underflow, for example.

You want a grander problem? How about a provably secure sandbox? We've seen how "engineered" sandboxes such as Flash, Java, and Android have worked out. Designing a sandbox that provides /emulates a basic CPU while PROVABLY not allowing access to any resource outside of the sandbox would be a comp sci project that could advance security in a huge way.

Computer Science is mostly math

Computer Science is mostly math

For the record I'm CS but CS is mostly math it's the highest paying computer related degree but actually teaches very little that most employers want.
Not sure why it's still so in demand but it might have something to do with the intelligence required to graduate, many more people can go to classes that sit down and teach you all the hottest IT/dev tools one at a time. My CS class barely glossed over how to use the tools required to do the job. Learning C and C++ was literally
"You all probably know java by now but you'll need C to complete this assignment due next week, there are some links on the syllabus that might help you bridge the gap" I don't think they taught UNIX except for kernel programming. I remember they gave me the hardest networking class of my life but the information was so theoretical that I doubt most of the students could have set up a small network any more complicated than workstations plugged into switches without extra help, though they could probably explain all the math and theory.

I implemented common crypto algorithms and learned memory manipulation techniques like buffer overflows and stuff like that.

Most IT departments couldn't care less if you know that stuff they want you to know how to use metasploit, how to configure an IDS, how to use access control, VPNs, and maybe stuff like physical security and structural controls like how to classify documents.

CS departments literally don't have time to teach cybersecurity.

Re:Computer Science is mostly math

[gweihir]

CS done wrong is mostly math. Done right, nothing but "Theoretical CS" has any business being mostly math.

Use your Secure Network

[tengu1sd]

Now that I'm a customer instead of the VAR everytime I challenge a vendor on a security issue, the answer is either FDA device no changes allowed or just make sure it's on your secure network. If I get in early enough, I can bounce a vendor in RFP, but some days, we're stuck with a product that cries to be rooted.

Defense against the dark arts at UVa

[whh3]

A really neat class at the University of Virginia:

A report describing the class' pedagogy: Defense Against the Dark Arts

and a link to the current class website: Online syllabus

So?

[fluffernutter]

Cyber Security is an IT (practical) practice, not a "Computer Science" practice.

Re:So?

[gweihir]

Completely wrong. IT Security even has questions that fall under "theoretical CS".

Maybe infosec should not be it's own discipline?

[walterbyrd]

What I mean is, maybe infosec should be part of everything, instead of it's own specialization.

For example, maybe infosec should be part of software development class, and part of a database class, and part of a networking class, and so on?

Infosec to a network engineer is different than infosec to a java developer, which is also different from infosec to a system administrator.

The Emperor has no clothes

[Cyberpunk+Reality]

Why would the Establishment want to teach students that the status quo approach to computer security is nothing but lies and failure?

C strcpy can, Java, Flash strcpy can't. Or can?

[raymorris]

We know that C strcpy can result in overflow, as can the Caddition operator with it's own special version of overflow. But copying a string in Java or Flash can't result in overflow, right? Prove it. The specification for each is simple and clear.

You don't need to prove all of the application software, much can be gained by proving that the language or library is safe from user error (where user means application programmer). Where you DO want to prove some part of the application software to some degree, proving the library, compiler, or interpreter is a precondition.

They don't teach error handling either

[mveloso]

They don't teach error handling either. How many handouts in CS have said "error handing as an exercise left for the reader?" if it's mentioned at all.

However, it's arguably one of the most difficult designs you can make when you write software.

Security == Understanding of the Machine

It seems to be that everyone is missing the key point. Security comes from a holistic understanding of a system. Security comes in different flavors. It exists (hopefully) at many layers of OSI model. Therefore to be a useful security engineer in any regards, you need to understand completely what you are working with. For example, one would not expect someone who specializes in compiler theory and implementation to proficient in web-based security. And vise versa. Once you have a firm grasp of a given system, say compiler theory/design/etc, then you may begin to understand the attack vectors associated with that technology. At my school, university of wisconsin, the security class in designed to be taken at a senior undergrad level, once you have gotten the necessary skills in previous classes. With an advanced class offered at the graduate level. Of course these courses won't make you an expert, but they might get you in the door as an entry level security engineer. Or maybe as a junior cs security researcher.

Re:Provable sandbox, or any provable security (lib

[TheRaven64]

Designing a sandbox that provides /emulates a basic CPU while PROVABLY not allowing access to any resource outside of the sandbox would be a comp sci project that could advance security in a huge way.

It exists. You might want to look up Google Native Client. The verifier for it has been formally verified and guarantees that no memory accesses can be to the outside of the sandbox. Of course, that's not the entire problem. It's trivial to prove that a program that has no side effects is secure, but anything useful in a sandbox has to be able to communicate with the world outside of the sandbox. And as soon as it can communicate with the outside world, it becomes a staging ground for attacking the bits that are outside of the sandbox and are not verified.

Interesting, thanks. Can't find a reference

[raymorris]

I didn't know that the NaCl verifier had been verified. That's very interesting, thanks. In fact I still can't find a reference for that, probably just because Google searches with the word "verified" turn up so many results talking about code verified BY the verifier.

Re:Maybe infosec should not be it's own discipline

[walterbyrd]

That's about what I figured.

My point is: security should be more emphasized in all those classes. Security as a separate discipline does not make much sense, since security is different for a Java developer, or a network engineer.

The article nailed it.

[Jawnn]

We employ a handful of developers, some in-house some contractors. All but one has had be taught the importance of some of the fundamentals of secure programming. To see their code, you'd have to assume that they'd never been exposed to the idea of input validation, for example. I don't know if I'd lay the blame wholly on academia, though. Some of our crew are largely self-taught, but still, whatever learning resources they've relied on clearly did not address security.

IMO, it is inexcusable that those with CS degrees have not had more exposure to security issues. "The threat" is a fact of life and any leader in any information technology role should have a grounding in the security principles around that role.

Re:This is fair and reasonable

[chfriley]

I went to one of these Top 10 CS program schools (for a graduate degree) and you can tell a lot (probably even the university) by the fact that the CS Department was in the Applied Physics and Math building. It has a lot of math and theory. There are a ton of theory classes. Plus there are SOMEWHAT more practical class in OS's, AI, natural language processing, neural networks, interface design/human factors depending on your interests. All have a huge component of the theory though so that you aren't just learning about Unix/Linux from an OS perspective, but you are learning the theory and rational behind various designs. e.g. you might learn about the Mach kernel versus the BSD kernel but with much focus on why certain design decisions are made and how that impacts performance and the like.

For example, you'll learn about CPU design and trade-offs there. You'd learn about Flynn's taxonomy and various examples of them, but you wouldn't just learn a particular implementation of a MIMD machine with nothing else.

Now we did not have a specific class in security, but it was a huge concern in the OS classes regarding processes, stack etc, and in the hardware classes for CPU memory protection and the like. Ditto compiler classes where you would have the compiler (or tools tied into it) to do verification or bounds checking etc. Even the the Theory of Computation classes it was touched upon in the NP/P discussions (Thanks Christos Papadimitriou). We discussed viruses, worms (the Morris worm impacted everyone Nov of 1988) and other malware (and this was 1988 and 1989) and best practices in terms of hardening the OS and applications so that they weren't (hopefully) vulnerable. Certainly a lower level than at the browser level, but the security discussions were wrapped into the appropriate classes so that you were made aware of the issues when appropriate.

Would a high level overview be appropriate now? Perhaps. I am not convinced though that it should be pulled out of the individual classes since I don't see that there is one "theory of security" that applies to all areas universally and it might be better discussed where it is appropriate. Maybe it would be useful, I'm just not convinced yet.

The point being that you are learning the foundations and not having it like a trade school where they get you a Microsoft certification - and there is NOTHING wrong with that, btw, it is just a different focus of what a particular program would be. Sure you can code and you know doubt know a lot about Unix (or derivatives) since you are using them, but the focus isn't on a set of skills for a particular OS or CPU. You are learning so that you can go to Microsoft, Apple or wherever and help them decide on the best way to implement something to accomplish a particular set of goals. :-)

Re:A better choice would be the PDP-11

[HiThere]

I don't know the PDP-8, it might be a good choice. But in covering the assembler the goal is to teach basic principles, how integers are represented, what overflow means, etc. so "a bit more practical" is beside the point, and likely to be actively detrimental. Real CPUs tend to be complex, and you don't want complexity to hide the basics you're trying to convey.

Certainly, anything that could run Linux would be inappropriate, as Linux requires a memory management unit, and that's complexity beyond the desirable level.

Alabama?!?

[Sir+Holo]

FTA: ... The alarming study also reveals that only one (University of Alabama) out of the 121 schools required three or more cybersecurity classes to graduate.

University of Alabama?

Wow, I did not know they even had a University, it being Alabama and all. Kudos to their CS Department.

But also, to every other CS Department in the US: U. Alabama is trouncing you in this arena. How does that feel?