My Last Day Teaching

Tonight was my last night teaching (maybe*).  I started in 2006 teaching at the Art Institute of Las Vegas and after starting my Master’s program at UNLV, started teaching there as well.  AILV was a much more practical approach, UNLV more theory and discussion. It’s had its up and downs, but in the end, it was a bit bittersweet.

The Things I Will Miss

• The unfettered creativity of students whose minds have not been destroyed by the realities of life
• Intelligent questions that even make me think
• Students who bother to challenge my opinion (or even better, a methodology)
• The thanks from the one student each semester who tells me that something they learned helped them get their first job or changed their mind about [insert topic here]

Things I Won’t Miss

• Students who think I don’t know that they’re on Facebook (and those of you in INF400, yea, we did hack your passwords)
• Blank stares, the head nods (despite being good for comedy relief)
• Fluff.  (Please, if you’re a student and reading this, a quick word of advice – answer succinctly or just admit you don’t know)
• Superficial essays. (See above – do your [expletive] research – there is such a thing as a library)
• Lack of effort, especially on exams (I mean, please, if you ASK me for true-false and multiple-choice, then you should get at least better than 50% correct, and even more so when I tell you how many question on each topic and mark my slide sets with the important slides)

Anyway, I say maybe because there’s still a chance I might be returning for INF400 Web Security but not likely.  So to those students who at least appeared eager that I would be back for one more round before UNLV shuts the doors on Informatics forever, I’m sorry I didn’t tell you but keep at it and don’t be afraid to email me if you have questions.

Teaching Web Security Topics

In teaching a class on Web Security (UNLV’s INF400 Special Topics in Informatics: Web Security), I spend a lot of time just trying to determine what topics I can cover. Despite a seemingly long semester – some 16 weeks – it is sometimes surprising how little one can actually cover in 40 hours of instruction.

It occurred to me in reviewing my notes from the time I taught it in the Spring (2010), that I ended up having to cover an inordinately large amount of basic background material. As I progressed through piecing the syllabus, I am finding myself looking for ways to streamline the ramping up process so we can get to the meat of it quicker.

For example, take the basic XSS (cross-site script) – just to even approach the topic, I have to consider that the student has a basic knowledge of the HTTP protocol (including headers, methods and responses), an understanding of browser comparatives (sandboxing and same-origin policy), a relatively good understanding of Javascript (and HTML for that matter), and willingness to spend time practicing and failing without getting frustrated. Or SQL injection the student needs a good understanding of the protocol, idempotency, RDBMS structures and the differences between engines, structured query language, and an understanding of the pass-through language (PHP, ASP, etc) along with how the forms interact and where lax validation and scrubbing might occur.

Example XSS attack on ads.youtube.com (screen by Stephen Sclafani)

So I end up spending some 2-3 hours (which isn’t sufficient in the first place) just reaching the point that I can have a reasonable and engaging discussion about the dangers of XSS. And another 2-3 to do SQL injection. Add on top of that cross-site forgery, sidejacking, digital rights management, rogue CA, web server explots, caching breaches, DoS and DDoS, parameter polution and more, suddenly the 40 hours is gone very quickly.

I am also adamant that in a Web security course that students must have hands-on labs performing some hacking. In my experience, providing a platform for students to see and experience what a hacker eyes sees changes the perspective, giving them tools to think like the predator and seek better protection. Many of these students leave with a cognate in Cybersecurity (since UNLV’s now eliminated Informatics program is still an NSA Center for Academic Excellence – CAE – in cyber security).

My point is simply that there needs to be more. Students in any computer science, informatics, HCI, UX, web design, MIS or similar program should be required to take a course in Web Security and preferably more than one, simply because the material is so vast and quickly becoming more pronounced as the Web becomes increasingly part of the fabric of everyday life.

According to privacyrights.org chronology of data breaches, there were 342 million “records” breached from 2005-2009 alone.  In 2010, another 167 million; this means 2010 had nearly 50% of the total breaches in the preceding 4 years – we’re almost reaching a geometric increase in such exploit.  Of course this figure doesn’t include only records stolen through Web sources but as data becomes increasingly available and privacy only semi-transparent, it is sure to only add to this.

There is a prevailing need for more skilled workers with a good understanding of cyber- and web security, as much as the need for general public awareness.  Just as computers and the Internet have become ubiquitous, so has the need for security in them.