Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-12 Thread Fernando Schapachnik
En un mensaje anterior, Blue Boar escribió:
 Fernando Schapachnik wrote:
 I smell a discusion going nowhere. What is the point of teaching a 
 languague?
 Teach them to program in a paradigm (better, in all of them, and give them 
 the
 tools to make educated choices about which is better for each context), and
 choose any language as an *example* of the paradigm.
 
 Ah... but beyond design problems, aren't most security problems 
 language-specific abuses and bugs?  I'm thinking things like I didn't 
 realize it would let me mix signed and unsigned... I didn't realize it 
 would let me right off the end of the buffer... I didn't realize I had 
 to escape or filter certain characters

Same thing happens with concurrency. You need to tell them about shared
variables, mutexes, locking, atomicity, protected sections, etc. When they are
going to undertake a real project in a specific language they need to know how
these are implemented there. I expect them to be able to learn that from the
multiple available resources, once the foundations are learn.

Now s/concurrency/security/. Imagine next year, when language NEW appears
and some people from this list are required to work in it. I suspect most
of them would probably apply their existing knowledge and some searching around
to understand the new thread model, and act acordindgly. Is the same scenario
for students.

Regards.

Fernando.





RE: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-09 Thread Peter Amey


 -Original Message-
 From: Crispin Cowan [mailto:[EMAIL PROTECTED]
 Sent: 09 July 2004 04:27
 To: Peter Amey
 Cc: ljknews; [EMAIL PROTECTED]
 Subject: Re: [SC-L] Education and security -- another perspective (was
 ACM Queue - Content)
 
 
 Peter Amey wrote:
 
 What is wrong with this picture ?
 
 I see both of you willing to mandate the teaching of C and yet not
 mandate the teaching of any of Ada, Pascal, PL/I etc.
   
 
 Makes sense to me. what is the point of teaching dead 
 languages like 
 Ada, Pascal, and PL/I?  Teach C, Assembler, and Java/C# (for the 
 mainstream), and some lisp variant (Scheme, ML, Haskell) and Prolog 
 variant for variety. But Ada, Pascal, and PL/I are suitable 
 only for a history of programming languages course :)
 
 
 I do hope that is a sort of smiley at the end of your 
 message.  Please.
   
 
 It is a sort-of smiley. On one hand, I find the whole thing 
 amusing. On 
 the other hand, I find it patently absurd that someone would suggest 
 that curriculum in 2004 would comprise Ada, Pascal, and PL/I, all of 
 which are (for industrial purposes) dead languages.
 
 On one hand, university should be about learning concepts rather than 
 languages, because the concepts endure while the languages go 
 in and out 
 of fashion. 

[snip]

I would have to (at least partly) diagree on two counts.  

Firstly a tactical one: Ada is by no means a dead language.  There is a great tendency 
in our industry to regard whatever is in first place at any particular point in life's 
race to be the winner and everything else to be dead.  In practice very 
substantial use may continue to be made of things which are not in the ultra-visible 
first place.  For example, OS/2 was killed by Windows yet most ATMs in the USA still 
run OS/2.  We have't discussed the dead languages Cobol and Prolog but both are 
actually still in widespread use, the latter in the specific niches for which it is 
suitable.  Ada is actually still doing rather well in areas where high reliability is 
valued more than fashion (the Ada side of my business is growing steadily and has been 
for years).  Since we are concerned on this list with improving the security (a form 
of reliability) of systems, study of a language which has a proven track record in 
delivering relibaility is wholly appropriate.

Secondly, in response to your suggestion that we teach concepts (which I wholly agree 
with), languages, including dead ones, encapsulate and illustrate concepts.  Pascal 
was designed to teach structured programming.  Occam provides a splendid introduction 
to concurrency.  Modula-2 and Ada are ideal for illustrating the vital concepts of 
abstraction, encapsulation and the separation of specification and implementation.  
The languages are worth studying for these reasons alone.  Those exposed to them will 
be better programmers in any language and will find adoption of new ones much easier.  

As you say, languages come in and out of fashion; what I find sad is that so many of 
the new languages have failed to learn and build on the lessons of those that have 
gone before.  I think it highly probable that this is because their designers have 
casually dismissed those that went before as dead and therefore of no interest.  They 
would have done better to emulate Newton and stood on the shoulders of giants such 
as Wirth.

I would never recruit someone just because they knew Ada rather than C; however, I 
would be highly unlikely to recruit someone who had such a closed mind that they 
thought Ada had nothing to teach them and was only fit for snide mockery.


Peter


**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.  The IT Department at Praxis Critical Systems can be contacted at 
[EMAIL PROTECTED]
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.mimesweeper.com
**



This e-mail has been scanned for all viruses by Star Internet. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk





Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-09 Thread Crispin Cowan
Peter Amey wrote:
What is wrong with this picture ?
I see both of you willing to mandate the teaching of C and yet not
mandate the teaching of any of Ada, Pascal, PL/I etc.
 

Makes sense to me. what is the point of teaching dead languages like 
Ada, Pascal, and PL/I?  Teach C, Assembler, and Java/C# (for the 
mainstream), and some lisp variant (Scheme, ML, Haskell) and Prolog 
variant for variety. But Ada, Pascal, and PL/I are suitable 
only for a history of programming languages course :)
   

I do hope that is a sort of smiley at the end of your message.  Please.
 

It is a sort-of smiley. On one hand, I find the whole thing amusing. On 
the other hand, I find it patently absurd that someone would suggest 
that curriculum in 2004 would comprise Ada, Pascal, and PL/I, all of 
which are (for industrial purposes) dead languages.

On one hand, university should be about learning concepts rather than 
languages, because the concepts endure while the languages go in and out 
of fashion. Evidence: 20 years ago, when I was in college, Ada, Pascal, 
and PL/I only included one dead language :)  On the other hand, the 
students do need to get a job when they graduate, and we do them a 
disservice to not at least teach concepts using a language currently in 
use in industry.

There is also room for a lot of breadth in a college program. I was only 
overtly instructed in languages a few times, the rest were read the 
book then do this assignment. But in that approach, I learned COBOL, 
Pascal, PL/M, 68000 assembler, C, C++, FORTRAN, VAX assembler, Prolog, 
LISP, and Maple.  Its not like this list needs to be short.

Crispin
--
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix  http://immunix.com



Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-09 Thread Crispin Cowan
Peter Amey wrote:
Firstly a tactical one: Ada is by no means a dead language.  There is a great tendency in our industry to 
regard whatever is in first place at any particular point in life's race to be the winner and 
everything else to be dead.
Ada was pushed hard enough by the DoD for a decade that it is to be 
expected that there is a lot of Ada code to be maintained. I'm also 
willing to believe that your business in Ada may be growing, but that is 
likely because others are exiting the business and leaving the 
remainders for you; I do not believe (unless you have evidence to the 
contrary) in significant growth in new project starts in Ada.

I focus on new project starts because that is the only case in which 
language selection is even an interesting question. For any kind of 
on-going work, using the same language that the project was started in 
is the obvious choice most of the time.

 In practice very substantial use may continue to be made of things which are not in 
the ultra-visible first place.  For example, OS/2 was killed by Windows yet most ATMs 
in the USA still run OS/2.
But no new OS2 ATMs are being built, and they are being phased out.
 We have't discussed the dead languages Cobol and Prolog but both are actually still 
in widespread use,
COBOL: same reason, legacy systems, and LOTS of them.
Prolog: not so sure. Prolog may still be a language of choice for expert 
systems projects. But I don't work in that field. I do have a completely 
un-used Prolog text book left over from grad school if someone wants to 
buy it :)

Secondly, in response to your suggestion that we teach concepts (which I wholly agree with), languages, including dead ones, encapsulate and illustrate concepts.  Pascal was designed to teach structured programming.  Occam provides a splendid introduction to concurrency.  Modula-2 and Ada are ideal for illustrating the vital concepts of abstraction, encapsulation and the separation of specification and implementation.  The languages are worth studying for these reasons alone.  Those exposed to them will be better programmers in any language and will find adoption of new ones much easier.  
 

In programming language terms, Ada is grossly primitive. Its object 
orientation mechanisms are crude at best. A *great* deal of progress in 
language technology has been made since Ada was developed. For just 
about any kind of concept or safety feature, students and developers 
would be better served to consider Java, C#, or ML instead of Ada.

As you say, languages come in and out of fashion; what I find sad is that so many of the new languages have failed to learn and build on the lessons of those that have gone before.  I think it highly probable that this is because their designers have casually dismissed those that went before as dead and therefore of no interest.  They would have done better to emulate Newton and stood on the shoulders of giants such as Wirth.
 

And that is what I meant by history of programming languages. Java, 
C#, and ML are strictly better than Pascal and Ada for almost 
everything. But they did not spring out of the earth, they were built on 
the progress of previous languages. Java in particular contains no novel 
features at all, but rather shows good taste in the features it borrows 
from others. What made Java interesting was the accident of history that 
caused it to become the first strongly typed polymorphic programming 
language to become widely popular.

You *can* teach object orientation with Simula 67 or SmallTalk, if you 
really want to. But teaching object orientation with Java is a lot more 
approachable in the contemporary context.

I would never recruit someone just because they knew Ada rather than C; however, I would be highly unlikely to recruit someone who had such a closed mind that they thought Ada had nothing to teach them and was only fit for snide mockery.
 

I don't mock Ada for what it is: a fairly good programming language from 
the 1970s, with obvious scars from having been designed by committee 
(too big, too many features). Ada's defects are artifacts of its age and 
its history, not of poor design.

I do mock the suggestion that a large, complex, and retrograde language 
with no industrial growth is a suitable subject for undergraduate education.

Crispin
--
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix  http://immunix.com



RE: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-09 Thread David Crocker
Crispin Cowan wrote:


In programming language terms, Ada is grossly primitive. Its object
orientation mechanisms are crude at best. A *great* deal of progress in
language technology has been made since Ada was developed. For just
about any kind of concept or safety feature, students and developers
would be better served to consider Java, C#, or ML instead of Ada.


I'm no fan of Ada (I find the language cumbersome and verbose, and it makes a
pigs ear of trying to be fully O-O) - but I have to defend Peter Amey in this
case.

There is a tendency to regard every programming problem as an O-O problem.
Sometime last year I read a thread on some programming newsgroup in which
contributors argued about the correct way to write a truly O-O Hello world
program. All the solutions provided were cumbersome compared to the traditional
printf(Hello, world!) solution. The point is, printing Hello, world! is
not an O-O problem!

Although for most commercial application packages an O-O architecture is the
best choice at present, for many embedded systems there is absolutely no reason
to use polymorphism with dynamic binding - which are the main language features
that distinguish the O-O approach from earlier methods. Ada has always provided
the other benefits associated with O-O languages (encapsulation, information
hiding, genericity). In safety-critical work there is a good case for regarding
dynamic binding as dangerous unless you formally prove it to be safe using
rigorous methods. And much as I dislike Ada, I have to admit that if you don't
intend to use dynamic binding and don't need the low-level features of C, Ada is
one of the safest languages around.

BTW there is probably more embedded programming being done using C rather than
anything more modern. Java is ruled out for most real-time embedded applications
because garbage collection pauses cannot be tolerated. [My own preference for
embedded work is MISRA C extended with a few features from C++ - but it needs
good tool support in order to ensure that all the worst unsafe features of C/C++
are avoided.]


Java, C#, and ML are strictly better than Pascal and Ada for almost
everything. But they did not spring out of the earth, they were built on
the progress of previous languages. Java in particular contains no novel
features at all, but rather shows good taste in the features it borrows
from others. What made Java interesting was the accident of history that
caused it to become the first strongly typed polymorphic programming
language to become widely popular.


I disagree with your almost everything because there is a huge amount of
embedded software developed for which Java is unsuitable. Java is certainly a
big improvement on C++ for anyone not needing the low-level control that C++ can
give, but unfortunately the designers of Java still borrowed too much from
C/C++. In particular, mixing automatic type conversion with overloading is a
_very_ bad idea. Indeed, for safety-critical work, almost any sort of automatic
type conversion is a very bad idea. The depressing thing about Java is that it
contains almost nothing new. In contrast, the designers of Eiffel added language
features designed to make producing correct programs easier.


You *can* teach object orientation with Simula 67 or SmallTalk, if you
really want to. But teaching object orientation with Java is a lot more
approachable in the contemporary context.


I certainly wouldn't advocate teaching Simula or Smalltalk. But focussing solely
on Java and O-O programming does not set students up well for embedded software
development.

David Crocker
Consultancy, contracting and tools for dependable software development
www.eschertech.com






RE: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-09 Thread Wall, Kevin
David Crocker wrote...

 There is a tendency to regard every programming problem as an
 O-O problem.  Sometime last year I read a thread on some
 programming newsgroup in which contributors argued about the
 correct way to write a truly O-O Hello world program. All
 the solutions provided were cumbersome compared to the traditional
 printf(Hello, world!) solution. The point is, printing
 Hello, world! is not an O-O problem!

Amen to that! I made similar remarks in the 'comp.compiler' and
'comp.object' USENET newsgroups as far back as 1991 (see for
example [URL probably will wrap] ...
http://groups.google.com/groups?hl=enlr=lang_enie=UTF-8newwindow=1safe=activethreadm=91-08-148%40comp.compilersrnum=1prev=/groups%3Fq%3Dcblph!kww%2Bgroup:comp.*%26hl%3Den%26lr%3Dlang_en%26ie%3DUTF-8%26newwindow%3D1%26safe%3Dactive%26selm%3D91-08-148%2540comp.compilers%26rnum%3D1)

I also muttered similar things within the Bell Labs community
much earlier than that during a time that C++ was first gaining momentum.

I'm of the belief that one should use the appropriate programming paradigm
that best fits the problem at hand. Contrary to how some may feel, I
strongly believe that does NOT mean that the best solution is always
an OO approach. Unfortunately, when all you have is a hammer...
[Note: In general, I'm a fan of OO--where and when appropriate.]

But this is getting way-off topic, so I'll cease my ranting.
(About time he shuts up! ;-)
-kevin
---
Kevin W. Wall   Qwest Information Technology, Inc.
[EMAIL PROTECTED]   Phone: 614.215.4788
The reason you have people breaking into your software all 
over the place is because your software sucks...
 -- Former whitehouse cybersecurity advisor, Richard Clarke,
at eWeek Security Summit




RE: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-09 Thread ljknews
At 2:26 PM +0100 7/9/04, David Crocker wrote:

 And much as I dislike Ada, I have to admit that if you don't
 intend to use dynamic binding and don't need the low-level features of C,...

Which are those low-level features not available with Ada ?

The C compilers I have used claim to be ANSI-compliant but lack anything
equivalent to Ada's representation clauses.

-- 
Larry Kilgallen




Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-08 Thread der Mouse
 I see both of you willing to mandate the teaching of C and yet not
 mandate the teaching of any of Ada, Pascal, PL/I etc.

 This seems like the teaching of making do.

And is not making do an important skill?

More seriously, as long as Unix variants maintain their position of
importance (something that shows no signs of going away), C will be an
important language for anyone outside academia to know - and many of
those inside academia.  As such, I would say that any program with so
much as pretensions to preparing people for the real world needs to
teach it to some extent.

Certainly not exclusively (I know I'm a better programmer for knowing
many languages).  Perhaps not even predominantly.  But as theoretically
ugly as it may be, it is still pragmatically critical.

/~\ The ASCII   der Mouse
\ / Ribbon Campaign
 X  Against HTML   [EMAIL PROTECTED]
/ \ Email!   7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B


Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-08 Thread Julie JCH Ryan, D.Sc.
Another perspective on the education problem, keeping in mind that this 
is a global issue (as most are):

How Professor Hawking computes
Posted June 10, 2004 in ALS News
http://www.rideforlife.com/archives/001014.html
 Copyright 2003: Indian Express Group (Mumbai, India).
. extract follows
Mehta has himself been working with computers since 1971, when he was 
a student at IIT Delhi. His early exposure to computers was a result of 
a student programmer scheme started by Professor PCP Bhatt. There are 
few activities that match programming in sheer creative potential. On 
the Internet, programmers can claim to have changed the world. You can 
make a decent living from it as well, says he.

 What does he see as the three most important fields where Indian 
skills should be focussed upon? Mehta says, Mobile phone applications, 
particularly m-commerce, and the integration of desktop and mobile 
apps. Secondly, industrial and home applications, including automation 
and networking. Thirdly, games, particularly for an older population.

His regret is that the quality of programmers churned out by Indias 
education system is poor. Those who develop programming skills pretty 
much learn by themselves, or from their peers. The state of computer 
education particularly in our schools needs urgent attention, what is 
taught is horrific and by people with poor skills, he says.

. extract ends 




Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-08 Thread James Walden
ljknews wrote:
What is wrong with this picture ?
I see both of you willing to mandate the teaching of C and yet not
mandate the teaching of any of Ada, Pascal, PL/I etc.

This seems like the teaching of making do.
You read more into my post than I wrote, as I did not mandate that the students 
must learn C/C++.  They already know C/C++ by the time they take my course, but 
few have any exposure to the relevant security issues.  It's important that a 
security class cover security issues with the languages that the students have 
already used in their curriculum, unless that's already covered elsewhere.  How 
many people will change their programming language if they don't see what's 
wrong with the one they're currently using?

In summary, I teach the students the security issues (the powers and failures 
of C as Dana put it), not the language itself.  I do offer an overview of the 
features of more secure languages that students haven't used, but I don't have 
time to teach a new language in my security class, which isn't a pure software 
security class.

As for teaching students languages, we traditionally taught software 
engineering in Ada at my university, though we've moved to mostly Java or 
Python since the term project was required to be a web-based system. 
Introductory classes are taught using Java, in part because the AP test is 
Java-based, while computer architecture and assembly is taught using assembly, 
and operating systems is taught using C/C++.  Electives introduce other 
languages, of course.  I like ocaml myself, but its use is restricted to 
restricted to certain electives.

--
James Walden, Ph.D.
Visiting Assistant Professor of EECS
The University of Toledo @ LCCC
http://www.eecs.utoledo.edu/~jwalden/



Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-08 Thread Dana Epp
What is wrong with this picture ?
I see both of you willing to mandate the teaching of C and yet not
mandate the teaching of any of Ada, Pascal, PL/I etc.
This seems like the teaching of making do.
Hmmm, interesting point. In a particular set of learning objectives 
required to complete a credential (ie: CompSci, CIS etc) what do you 
recommend we sacrifice to put in all this teaching?

I don't pick C for C's sake. I choose C because ON AVERAGE, most 
students will be exposed to C more than the languages you suggest. 
Especially in the majority on industries hiring students out of university.

However, that said, I don't think the language matters past exposure to 
the industry. A strong foundation of programming skills should be 
language agnostic; loops are loops, recursion is recursion, conditions 
are conditions etc. Learning the syntax of the language to accomplish it 
is secondary. Knowing how a loop breaks down into machine instructions 
is the goal here. Not how to do it in Ada.

Think about it in reflection of a linguist doing translation at the 
United Nations. They didn't simply go and learn every particular 
language. They are trained in understanding the mechanisms of human 
speech and formal grammar, and they then apply it to the language they 
are learning. In other words, they work from their foundation of 
learning in grammar and then apply the syntax of the particular language 
they are translating. It makes learning new languages much easier, and 
much faster.

So too should be programming. If a student has a strong foundation of 
learning when it comes to programming, they can adapt to different 
computer languages that they are exposed to as it comes to them. C is a 
perfect language to use to quickly get those concepts across in a 
practical environment in universities. And more importantly, from a 
secure coding objective, you can show what NOT to do.

--
Regards,
Dana Epp
[Blog: http://silverstr.ufies.org/blog/]


RE: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-08 Thread Peter Amey


 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED]
 Behalf Of Crispin Cowan
 Sent: 07 July 2004 23:29
 To: ljknews
 Cc: [EMAIL PROTECTED]
 Subject: Re: [SC-L] Education and security -- another perspective (was
 ACM Queue - Content)
 
 
 ljknews wrote:
 
 What is wrong with this picture ?
 
 I see both of you willing to mandate the teaching of C and yet not
 mandate the teaching of any of Ada, Pascal, PL/I etc.
   
 
 Makes sense to me. what is the point of teaching dead languages like 
 Ada, Pascal, and PL/I?  Teach C, Assembler, and Java/C# (for the 
 mainstream), and some lisp variant (Scheme, ML, Haskell) and Prolog 
 variant for variety. But Ada, Pascal, and PL/I are suitable 
 only for a 
 history of programming languages course :)
 

I do hope that is a sort of smiley at the end of your message.  Please.

Peter


**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.  The IT Department at Praxis Critical Systems can be contacted at 
[EMAIL PROTECTED]
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.mimesweeper.com
**



This e-mail has been scanned for all viruses by Star Internet. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk





Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-08 Thread Fernando Schapachnik
En un mensaje anterior, ljknews escribió:
 At 1:56 PM -0700 7/7/04, Dana Epp wrote:
 
 I don't pick C for C's sake. I choose C because ON AVERAGE, most students will be 
 exposed to C more than the languages you suggest. Especially in the majority on 
 industries hiring students out of university.
 
 Primarily because that is what universities use for training.
 
 Originally because Unix was so cheap for educational institutions.
 
 I smell a vicious circle.

I smell a discusion going nowhere. What is the point of teaching a languague?
Teach them to program in a paradigm (better, in all of them, and give them the
tools to make educated choices about which is better for each context), and
choose any language as an *example* of the paradigm.

Latter on, they can pick the particularities of any language by a book.
Remember: don't give them fishes, teach them how to fish.

Having said that, giving a quick overview of C seems like a good idea when
teaching about security, because you can easily show examples of all types of
problems (I think is important, however, to make it clear that their represent a
class of problems, and can happen in many languages, not only in C).

Regards, Fernando.





RE: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-08 Thread Peter Amey


 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED]
 Behalf Of der Mouse
 Sent: 08 July 2004 03:47
 To: [EMAIL PROTECTED]
 Subject: Re: [SC-L] Education and security -- another perspective (was
 ACM Queue - Content)
 
 
  I see both of you willing to mandate the teaching of C and yet not
  mandate the teaching of any of Ada, Pascal, PL/I etc.
 
  This seems like the teaching of making do.
 
 And is not making do an important skill?
 

Absolutely, making do is an important skill.  However, those being taught have to be 
told that they are making do and made properly aware of the alternatives.  In fact 
showing them the superiority of the alternatives should help them understand the 
limitations of C and why they need to know how to make do!

What is not acceptable is to deprive them of the knowledge of superior alternatives 
and leave them thinking that making do is the state of the art.

Peter


**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.  The IT Department at Praxis Critical Systems can be contacted at 
[EMAIL PROTECTED]
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.mimesweeper.com
**



This e-mail has been scanned for all viruses by Star Internet. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk





Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-08 Thread Blue Boar
Jose Nazario wrote:
rather than talking in a vacuum, make sure you've read the latest
ACM/IEEE-CS curriculum guidelines:
http://www.acm.org/education/curricula.html
http://sites.computer.org/ccse/
Hrm.  I checked both pages, and searched for secur, and got nothing. 
I didn't click every link... security is mentioned briefly in a couple 
of places in the ACM strawman.

Was that your point?
BB



Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-08 Thread Blue Boar
Fernando Schapachnik wrote:
I smell a discusion going nowhere. What is the point of teaching a languague?
Teach them to program in a paradigm (better, in all of them, and give them the
tools to make educated choices about which is better for each context), and
choose any language as an *example* of the paradigm.
Ah... but beyond design problems, aren't most security problems 
language-specific abuses and bugs?  I'm thinking things like I didn't 
realize it would let me mix signed and unsigned... I didn't realize it 
would let me right off the end of the buffer... I didn't realize I had 
to escape or filter certain characters

BB



Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-07 Thread James Walden
Dana Epp wrote:
I'd be interested to hear what people think of the two approaches 
(separate security courses vs. spreading security all over the curricula).

 Regards.

 Fernando.
I don't think it's an either/or question; we need both approaches.  Students 
should study security wherever it's relevant in the curriculum, but they also 
need a security class towards the end of the degree program to integrate what 
they've learned with a deeper and more theoretical look at security at the 
level of Matt Bishop's Computer Security: Art and Science.

Well, I have been asked to teach a new forth year course at the British 
Columbia Institute of Technology (BCIT) this fall on Secure Programming 
(COMP4476).
It looks like a good class, Dana.  My only suggestion would be to present 
secure design principles in unit 2, instead of waiting to bring them up until 
unit 7 (I'm presuming you'll bring up more than least privilege there.)  I 
think you're right to wait until later in the term to bring up buffer 
overflows; it's a more difficult problem for students than I expected it to be 
the first time I gave such an assignment.

I only wish I could make all these books be textbook requirements for 
the curriculum. It should be mandatory reading.
I think they're all good books, but covering fewer topics and books in greater 
depth increases learning, so don't succumb to that temptation.  You can't teach 
them everything in one term, but you can point the way to continue learning 
with those books for students who want to know about security than one class 
can teach them.

Of course, I also think students should have to take at least one course 
in ASM to really understand how computer instructions work, so they can 
gain a foundation of learning for the heart of computer processing. And
I think they should be taught the powers and failures of C. Since I know 
many of you think I'm nuts for that, you might want to look at this 
outline with the same amount of consideration.
I agree with you on both of those requirements.  You need to have a basic 
understanding of assembly and how C is translated into assembly to understand 
the most common types of buffer overflow attacks.  There are better languages 
for secure programming than C, but students are almost certainly going to have 
to read or write C at some point in their careers, so they need to understand it.

--
James Walden, Ph.D.
Visiting Assistant Professor of EECS
The University of Toledo @ LCCC
http://www.eecs.utoledo.edu/~jwalden/



Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-07 Thread James Walden
Crispin Cowan wrote:
Another perspective (overheard at a conference 12 years ago):
   * Scientists build stuff in order to learn stuff.
   * Engineers learn stuff in order to build stuff.
I think that's about as accurate a summary of the distinction as you can make 
in 16 words.  What makes it even more fuzzy in our case is that computer 
science does not fit in any one category, as it's a conglomerate of maths, 
science, and engineering.  That may be why some universities are moving from 
departments of computer or information science to schools of computer or 
information science.

... however, the programming skills that universities teach is usually a 
side-effect of something else they are teaching: topics like algorithms, 
graphics, database, operating systems, networking, etc. They teach you 
the topic, give you a development project in that topic, and expect you 
to pick up the programming skills along the way.

What is broken about all this is security: the above approach teaches 
the kiddies to implement software anyway they can, under a lot of time 
pressure, and with very little QA pressure: graders have no time to 
rigorously test assignment hand-ins, and certainly not time to pen-test 
them.
I agree that programming being taught as an afterthought is one of the major 
sources of the problem with security, and it's related to computer science 
being a conglomerate of disciplines.  CS today feels like we're studying 
natural philosophy in the days before biology, chemistry, and physics became 
their own disciplines.  It worked when computer science was a younger field, 
but there's so much to study today that we can't fit all of it into a four year 
curriculum.

There are only a few solutions to adding security to the curriculum in this 
sutation: 1) remove other material to add security in its place, 2) expand the 
number of required classes and thus time for a degree, or 3) specialize CS into 
multiple disciplines, at least one of which has room for security in its 
curriculum.  I think the third choice is the likely and best long term 
solution, and the first is the most workable short term solution.

--
James Walden, Ph.D.
Visiting Assistant Professor of EECS
The University of Toledo @ LCCC
http://www.eecs.utoledo.edu/~jwalden/



Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-07 Thread ljknews
At 9:40 AM -0400 7/7/04, James Walden wrote:
Dana Epp wrote:

 Of course, I also think students should have to take at least one course in ASM to 
 really understand how computer instructions work, so they can gain a foundation of 
 learning for the heart of computer processing. And
 I think they should be taught the powers and failures of C. Since I know many of 
 you think I'm nuts for that, you might want to look at this outline with the same 
 amount of consideration.

I agree with you on both of those requirements.  You need to have a basic 
understanding of assembly and how C is translated into assembly to understand the 
most common types of buffer overflow attacks.  There are better languages for secure 
programming than C, but students are almost certainly going to have to read or write 
C at some point in their careers, so they need to understand it.

What is wrong with this picture ?

I see both of you willing to mandate the teaching of C and yet not
mandate the teaching of any of Ada, Pascal, PL/I etc.

This seems like the teaching of making do.
-- 
Larry Kilgallen




RE: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-07 Thread Wall, Kevin
Fernando Schapachnik wrote...

 I've considered 'secure coding' courses, and the idea always 
 look kind oversized. How much can you teach that students can't read 
 themselves from a book? Can you fill a semester with that? I'm
 interested in people's experiences here.

I suppose that depends largely on how you define secure coding
and how much depth you want to go into.

For the past 2 years I've taught a CS masters level course in
computer security. In addition to secure coding practices, I
also discuss:

* fundamental concepts of security (e.g., authentication,
  authorization, confidentiality, data integrity, nonrepudiation,
etc.);
* risk management and threat models;
* cryptographic foundations;
* authentication, access control, and auditing;
* common threats and vulnerabilities, and
* designing secure systems.

For the most part, because of time constraints and the fact that we are
trying to cover broader things then simply coding-related issues, the
secure coding practices are interspersed with the other topics, where
and when appropriate. (If you want more detail, you can find the
syllabus
at http://cs.franklin.edu/Syllabus/comp676/.)

 Adding a 'security chapter' to existing courses seems more 
 appropiate (at least to me). At the end of our Programming II
 course, I showcase students the vulnerabilities that can be
 understood or are related with what they've saw in
 class: these includes buffer overflows, input validation, integer
 over/underflows, race conditions, least priviledge, etc. I 
 stress that these are only samples, and point them to links
 (like David's great 'Secure Programming How-To') and books.
 I haven't had the chance to evaluate the impact of that, but
 it is on my to-do list.

I think that is a good approach, although I prefer mixing these
issues in where/when they might be more appropriate (e.g., discuss
security issues arising from race conditions when discussing
multi-threading, etc.) rather then saving them up for the end--if
only because there's a chance that they get crowded out if the
pace goes slower than expected.

 Similary, some other courses where security can be plugged 
 include operating systems, networking, SE, system's design, etc.

Indeed. At the same university, I taught the Distributed Operating
Systems masters level course. We used the Tannebaum / van Steen
text. The longest single chapter in the book was on security,
so the topic naturally fit in. (However, I know of other instructors
before me who simply skipped that chapter, thinking it wasn't as
important as the rest of the stuff.)

 I'd be interested to hear what people think of the two 
 approaches (separate security courses vs. spreading security
 all over the curricula).

I don't see it as either / or, but rather both / and. I think that
we sprinkle discussion of security, where appropriate, throughout
core courses (OS, networking, software design, etc.) and also have a
course or two at an upper (junior/senior) level. In that way, I
see it very similar to the way that we approach software design.
Generally there's a specific course or two on design, but we (hopefully)
teach it in bits and pieces at the beginning programming levels as well.
---
Kevin W. Wall   Qwest Information Technology, Inc.
[EMAIL PROTECTED]   Phone: 614.215.4788
The difference between common-sense and paranoia is that common-sense
 is thinking everyone is out to get you. That's normal -- they are.
 Paranoia is thinking that they're conspiring.-- J. Kegler




Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-06 Thread Fernando Schapachnik
En un mensaje anterior, der Mouse escribió:
  I think over the past 40 years or so, as a discipline, we've failed
  rather miserably at teaching programming, period.
  Right.  But on the other hand, that's not surprising - [because
  we've mostly not even _tried_ to teach programming, as opposed to
  computer science or software engineering].
  Care to explain what do you think a 'programming course' should have
  that is not covered in SE or CS courses (or curricula)?
 
 A computer scientist is a theoretician.  A software engineer is a
 designer.  A programmer is an implementer.
 
 A computer scientist can prove you can't, in general, sort faster than
 O(n log n) (and a good one can recast this as an explanatino of why).
 
 A software engineer can look at the application and decide which
 sorting algorithm is approproate for _this_ task, including, perhaps,
 choosing one with O(n^2) worst-case behaviour because of some
 application-specific property.
 
 A programmer can sit down and implement a sorting algorithm.

Well, my view is that a computer scientist is a scientist, which means he looks
into new/open problems. He'd better recall you can't sort faster than O(n log n)
based on comparisons, as a phisicist better recall general relativity laws, but
it can be a theoretician or an applied one (for example, designing new
programming languagues, etc). A software engineer applies stablished methods (if
shuch a thing exists today is left as an excercise to the reader) to tackle
problems. But that includes desigining, testing and programming. They are just
different parts of the software life cicle but all of them should be undertaken
as professional grade tasks.

So, in short, I think that programming is included in SE is included in CS.
Where A is included B means that any individual with an B degree should have
the knowledge necessary to successfully performs A's dutties (he might not have
the experience).

I don't agree with David Wheeler's statement that secure coding should be
taught instead of more basic things like sorting algorithms. Both are
important, but I believe that properly understading foundations is more
important that 'don't trust the input'. Of course there's more to security
than that, but that leads me to my main point. How should secure coding be
taught?

I've considered 'secure coding' courses, and the idea allways look kind
oversized. How much can you teach that students can't read themselves from a
book? Can you fill a semester with that? I'm interested in people's experiences
here.

Adding a 'security chapter' to existing courses seems more appropiate (at least
to me). At the end of our Programming II course, I showcase students the
vulnerabilities that can be understood or are related with what they've saw in
class: these includes buffer overflows, input validation, integer
over/underflows, race conditions, least priviledge, etc. I stress that these are
only samples, and point them to links (like David's great 'Secure Programming
How-To') and books. I haven't had the chance to evaluate the impact of that, but
it is on my to-do list.

Similary, some other courses where security can be plugged include operating
systems, networking, SE, system's design, etc.

I'd be interested to hear what people think of the two approaches (separate
security courses vs. spreading security all over the curricula).

Regards.

Fernando.





Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-06 Thread Mark Rockman
You are not nuts.  Your course outline  is a very substantial step in the
right direction.
- Original Message - 
From: Dana Epp [EMAIL PROTECTED]
To: Fernando Schapachnik [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Tuesday, July 06, 2004 16:42
Subject: Re: [SC-L] Education and security -- another perspective (was ACM
Queue - Content)


  I'd be interested to hear what people think of the two approaches
(separate
  security courses vs. spreading security all over the curricula).
 
  Regards.
 
  Fernando.

 Well, I have been asked to teach a new forth year course at the British
 Columbia Institute of Technology (BCIT) this fall on Secure Programming
 (COMP4476). I have no problem sharing my course outline and breakdown,
 since a lot of this is adopted from experiences many other structured
 secure programming courses and literature are taking. The idea is that
 students need to build a strong foundation of learning that they can
 adopt in which ever discipline they follow in the future. This shouldn't
 be a first year course, but I think its a bit late being a fourth year
 course. You will note that the course I am teaching is somewhat language
 agnostic, and even platform agnostic to ensure that the foundation isn't
 tainted with 'fad-of-the-day' techniques, technologies and tools. (Hold
 that to Web applications, which the jury is still out on)

 Course Breakdown
 
 1. Essentials of Application Security
 * Types of attacks (hackers, DoS, Viruses, Trojans, Worms,
 organizational attacks etc)
 * Consequences of Poor Security (Data theft, lost productivity, damage
 reputation, loose consumer confidence, lost revenues)
 * Challenges when Implementing Security (Security vs Usability,
 Attackers vs Defenders, The misinformation about the security cost)

 2. Secure Application Development Practices
 * Implementing security at every stage of the development process
 * Designing clean error code paths, and fail securely
 * Planning on Failure through results checking
 * Code review

 3. Threat Modeling
 * Attack Trees
 * STRIDE Threat Modeling
 * DREAD risk analysis

 4. Using Security Technologies
 * Encryption
 * Hashing
 * Digital signatures
 * Digital certificates
 * Secure communications (Using IPSec/SSL)
 * Authentication
 * Authorization

 5. Detecting and fixing Memory and Arithmetic Issues
 * Buffer overflows
 * Heap overflows
 * Integer overflows

 6. Defending against Faulty Inputs and Tainted Data
 * User input validation techniques
 * Regular expressions
 * Parameter checking
 * Fault injection reflection

 7. Design, Develop and Deploy software through least privilege
 * Running in least privilege
 * Developing and debugging in least privilege
 * Providing secure defaults using the Pareto Principle
 * Applying native OS security contexts to processes and files (ACL,
 perms etc)

 8. Securing Web applications
 * C14N
 * SQL Injection
 * Cross-site scripting
 * Parameter checking

 As I complete the lesson plan this summer this outline will change. I
 think more study on understanding trusted and untrusted boundaries needs
 to be added, and some areas such as Threat Modeling will be flushed out
 with more detail. Overall though, you can get an idea of areas of
 education that I feel make up a core foundation of learning in secure
 programming. I wish I could take credit for this thinking, as its a
 strong foundation to build on. Alas I cannot; pick up any number of
 secure coding books and realize that this is all covered there in some
 degree:

 * Building Secure Code
 * Secure Coding Principles  Practices
 * Secure Programming Cookbook
 * Security Engineering
 * Building Secure Software

 I only wish I could make all these books be textbook requirements for
 the curriculum. It should be mandatory reading. Although you can teach
 some aspects in any course being provided, the reality is I think a
 dedicated course helps to build on the real foundation of learning. All
 other courses can re-enforce these teachings to further drive it home
 for the student.

 Of course, I also think students should have to take at least one course
 in ASM to really understand how computer instructions work, so they can
 gain a foundation of learning for the heart of computer processing. And
 I think they should be taught the powers and failures of C. Since I know
 many of you think I'm nuts for that, you might want to look at this
 outline with the same amount of consideration.

 -- 
 Regards,
 Dana Epp
 [Blog: http://silverstr.ufies.org/blog/]






Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-06 Thread Crispin Cowan
der Mouse wrote:
Care to explain what do you think a 'programming course' should have
that is not covered in SE or CS courses (or curricula)?
   

A computer scientist is a theoretician.  A software engineer is a
designer.  A programmer is an implementer.
A computer scientist can prove you can't, in general, sort faster than
O(n log n) (and a good one can recast this as an explanatino of why).
 

That's an interesting distinction, but it doesn't really map to reality. 
There are lots of academic computer scientists who actually study 
implementation issues. Me, for instance :) We publish in security at 
USENIX Security, NDSS (Network and Distributed Systems Security, I am on 
the PC for 2005 
http://www.isoc.org/isoc/conferences/ndss/05/cfp.shtml), more broadly 
for systems at USENIX (plug: I am on the Freenix program committee for 
2005 http://www.usenix.org/events/usenix05/cfp/freenix.html), OSDI, 
SOSP, etc.

Even more broadly, people publishing stuff at SIGGRAPH are often doing 
at least as much with implementation as algorithms.

Another perspective (overheard at a conference 12 years ago):
   * Scientists build stuff in order to learn stuff.
   * Engineers learn stuff in order to build stuff.
So both classes learn stuff and build stuff, but for different motives. 
As a result, the output of scientists is often informative, but not so 
often useful, and the output from engineers is often useful, but not so 
often informative. To the contrary, it is rather poor work if a 
scientists work is not informative, and disastrous if an engineer's work 
is informative (e.g. the Tacoma Narrows bridge, or Microsoft Windows :)

There is a good deal of overlap, of course; it's rare to find anyone
who is wholly one of these without any bleedover from the others.  In
particular, any really good person in any of the three fields is going
to have a good deal of skill/knowledge from the other two mixed in.
 

Agreed.
What this means for acamdeia is less clear.  In particular, most CS and
SE programs actually include a good deal of programming, partly because
that's what many of the students actually want, partly for historical
reasons, and partly because you do need some familiarity with
programming to be a good CS or SE (just as you need some CS/SE to be a
good programmer).
 

... however, the programming skills that universities teach is usually a 
side-effect of something else they are teaching: topics like algorithms, 
graphics, database, operating systems, networking, etc. They teach you 
the topic, give you a development project in that topic, and expect you 
to pick up the programming skills along the way.

This effect is more pronounced the more advanced the school is. The 
thought is that programming is a relatively simple topic, so while a 
community college will spend most of their time teaching programming, a 
top-tier university will spend about 2 weeks teaching the frosh to 
program, and the rest of it they are supposed to gather while studying 
actual computer science.

What is broken about all this is security: the above approach teaches 
the kiddies to implement software anyway they can, under a lot of time 
pressure, and with very little QA pressure: graders have no time to 
rigorously test assignment hand-ins, and certainly not time to pen-test 
them.

Bringing us back to the root of this thread: we have been waiting 
forever for security to make it into the basic CS curricula. The rate of 
progress is not encouraging.

Thus, to really separate the programs, you'd have to pull the
programming out of the CS and SE curricula and put them in a
programming curriculum, perhaps with some new material added.  I'd
actually argue for going the other way, though, since the lines between
the areas are actually rather artificial, drawn not so much because
there really are boundaries there as because humans like to draw
boundaries around things.
 

For that to work, there would have to be programming content in 
curricula to pull out :)  OTOH, on reflection I tend to agree that 
unless how to program *safely* is a subject, that you cannot expect 
kids to infer it, and so successfully teaching security

What this has to do with _secure_ coding...well, nothing, directly.
But part of teaching programming really ought to be teaching the
security side of it, and whether you call it CS or SE or programming,
that's something I agree academia has mostly failed at.
Security for CS includes things like a bit of cryptography, some of the
mutant complexity theory that considers a problem that's O(1) 99% of
the time O(n^n) the other 1% easy rather than hard; security for SE
includes things like writing interface contracts that specify what
_isn't_ defined as well as what _is_; security for programmers includes
things like not overrunning buffers.  Again, there's a lot of overlap.
/~\ The ASCII   der Mouse
\ / Ribbon Campaign
X  Against HTML[EMAIL PROTECTED]
/ \ Email!   7D C8 61 52 5D 

Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-05 Thread Fernando Schapachnik
En un mensaje anterior, der Mouse escribió:
  In general, I don't think this is an issue that is unique to _secure_
  programming (coding, design, etc.).  I think over the past 40 years
  or so, as a discipline, we've failed rather miserably at teaching
  programming, period.
 
 Right.  But on the other hand, that's not surprising - when did you
 last see even a course, never mind a program, in academia that was
 _supposed_ to teach programming (as opposed to computer science or
 software engineering or any of the various other things usually taught
 instead of it)?

Care to explain what do you think a 'programming course' should have that is not
covered in SE or CS courses (or curricula)?

Regards.

Fernando.





Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-05 Thread der Mouse
 I think over the past 40 years or so, as a discipline, we've failed
 rather miserably at teaching programming, period.
 Right.  But on the other hand, that's not surprising - [because
 we've mostly not even _tried_ to teach programming, as opposed to
 computer science or software engineering].
 Care to explain what do you think a 'programming course' should have
 that is not covered in SE or CS courses (or curricula)?

A computer scientist is a theoretician.  A software engineer is a
designer.  A programmer is an implementer.

A computer scientist can prove you can't, in general, sort faster than
O(n log n) (and a good one can recast this as an explanatino of why).

A software engineer can look at the application and decide which
sorting algorithm is approproate for _this_ task, including, perhaps,
choosing one with O(n^2) worst-case behaviour because of some
application-specific property.

A programmer can sit down and implement a sorting algorithm.

There is a good deal of overlap, of course; it's rare to find anyone
who is wholly one of these without any bleedover from the others.  In
particular, any really good person in any of the three fields is going
to have a good deal of skill/knowledge from the other two mixed in.

What this means for acamdeia is less clear.  In particular, most CS and
SE programs actually include a good deal of programming, partly because
that's what many of the students actually want, partly for historical
reasons, and partly because you do need some familiarity with
programming to be a good CS or SE (just as you need some CS/SE to be a
good programmer).

Thus, to really separate the programs, you'd have to pull the
programming out of the CS and SE curricula and put them in a
programming curriculum, perhaps with some new material added.  I'd
actually argue for going the other way, though, since the lines between
the areas are actually rather artificial, drawn not so much because
there really are boundaries there as because humans like to draw
boundaries around things.

What this has to do with _secure_ coding...well, nothing, directly.
But part of teaching programming really ought to be teaching the
security side of it, and whether you call it CS or SE or programming,
that's something I agree academia has mostly failed at.

Security for CS includes things like a bit of cryptography, some of the
mutant complexity theory that considers a problem that's O(1) 99% of
the time O(n^n) the other 1% easy rather than hard; security for SE
includes things like writing interface contracts that specify what
_isn't_ defined as well as what _is_; security for programmers includes
things like not overrunning buffers.  Again, there's a lot of overlap.

/~\ The ASCII   der Mouse
\ / Ribbon Campaign
 X  Against HTML   [EMAIL PROTECTED]
/ \ Email!   7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B




[SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-02 Thread Wall, Kevin
Kenneth R. van Wyk wrote...

 FYI, there's an ACM Queue issue out that focuses on security -- see 
 http://acmqueue.com/modules.php?name=Contentpa=list_pages_issuesissue_id=14

 Two articles there that should be of interest to SC-L readers include
 Marcus Ranum's Security: The root of the problem -- Why is it we can't
 seem to produce secure, high quality code?  ...snip...

I've been thinking alot about some of the statements that Marcus Ranum
made in his most recent article in the _ACM Queue_ (Vol 2, No 4)...
even before Ken invited us all to comment on it.

I mostly agree with Ranum's conclusions, although perhaps for
different reasons.

Ranum states:
It's clear to me that we're:
 + Trying to teach programmers how to write more secure code
 + Failing miserably at the task

He goes on to say that it [educational approach] flat out hasn't
worked.

In general, I don't think this is an issue that is unique to _secure_
programming (coding, design, etc.). I think over the past 40 years or
so, as a discipline, we've failed rather miserably at teaching
programming, period. For the past 25 years, I've worked closely with
both highly educated Ph.D. computer scientists and with those whose
formal CS education consisted of at most a course or two in something
like C or Pascal. In many of these cases, the less educated are
beating out those who have had more formal education. (In fact,
I'd say this has been true in at least as many as 50% of the cases.)

What makes the difference? Well, it goes beyond mere aptitude and
general intelligence. I think in part at least, it goes with having
a passion for what you do. To some, doing design and coding and
other creative aspects is an artistic expression, a noble cause
and they would do it even if there weren't paid for its--witness
the open source movement which is largely funded by volunteer
labor. Others see it as a job or a career path, but not much
more. In my 25 year observation, those with this PASSION almost
always get it, and those without it are usually left behind
after the first few years into the profession.

I think that the same can be said for secure coding / design.
Not only do those people have a passion for coding / design, but
the ones who seem to get it are the ones who have a passion for
security as well.

Okay, so probably no surprise here, right? Do what you enjoy and
you'll excel at it more often than ones who do it out of other
motives (no matter how noble--such as making an affordable living to
provide for your family).

So I agree with Ranum in a sense--that educational approaches to
security have overall failed, but I think it is not because the
educational process / system per se has failed us (not that I'm
arguing that it couldn't be improved), but because we haven't been
able to ignite the passion for security in others. (And frankly,
I'm not even to what degree that's possible. I'll leave that to
another discussion.)

In the past two years, I've had the fortune to teach a computer
security course that I had the major part in organizing / developing.
I have learned two things about the students during that time:
1) All the students do well when it comes to rote
   memorization. (E.g., questions such as What cipher mode
   doesn't require an Initialization Vector?, etc.)
2) Only the students that seem to get it seem to do well
   on the questions requiring thought (i.e., ones requiring
   reasoning outside the box).

Surprisingly (at least at first), I have often been discovered that
those who other faculty members often consider the brightest students
are ones who do the worst on the questions requiring thought.

But in general, by the end of the 12 week period, I usually can tell
who is going to take and try to apply what they learned and those
who just chalk up the course as another 3 credit hours.

I see what I think is a related phenomena in the commercial world
as well. I've worked with a lot of developers who have worked on
security-related software (e.g., firewalls, crypto, secure proxies,
authentication and access control systems, etc.). One would EXPECT
that the groups that work on these projects would as a whole do
better at developing secure programs than the IT industry as a whole.
But overall, I don't think that their batting average is all that
much higher than the industry at large. We often hear excuses for
this (security software is more complex, etc.), but I'm not buying
it. If anything, it's this observation more than anything else that
makes me think that formal education is not THE answer (although,
I do think it is part of the answer).

On a related note to security and education, I was wondering if anyone
knows of any experimental data that shows that those with formal
education in security develop more secure programs than those
who have never had such formal training?  If no such experimental
data exists, why not? Can no one think of some formal,