Teaching The Writing of Secure Code

One of the great problems of teaching computer science is that there is a limited amount of time to teach and an unlimited amount of things that can be taught. There is very little degree of agreement of what must be taught. Teachers do the best they can but there is a good amount of variation on what gets taught. One thing that seems to always (or close to always) get left out is writing safe and secure code.

Few teacher give more than a cursory mention of error handling for example. The try/catch keywords get a little use but not much. For the most part, when a student program goes wrong it just crashes. Student programs tend to depend on the user entering information in the way the program is set up to receive it. This works, more or less, in the context of student projects because the projects are generally designed to test or use specific concepts other than error handling.

Outside of school, validating data as it is input is pretty important. There is a classic XKCD comic that highlights this idea. Bonus as it includes a school context. This is one way to at least talk about the concept even if there isn’t a lot of time and ability to reenforce it with a project. Though, string manipulation projects are sometimes a good way to talk about writing code to force specific forms of data formatting.

 

Back in the day, learning C (before C# or even C++) we talked a lot about memory management and things like overflowing strings and buffers. Ignoring those things was a major cause of security breaches. That’s probably true today as well.  Modern languages with string objects, garbage collection, and other forms of memory management reduce some of the risk but students will benefit with some discussion of the topics. 

Another topic that merits some discussion is validating where inputs come from. Data from a user input is obvious, usually.  Data from files a bit less obvious. Data from other code is the least obvious and potentially the highest risk.

Many years ago I was part of an operating system development group and we were adding many layers of security. Great stuff but we thought a great deal about making sure the right security information was passed along. Code deep in the OS was responsible for sharing security information with user level code. We worked hard to make sure that only trusted information was allowed to reach different levels of code. We also worked hard to make sure that only reliable information went down to lower levels.  That users can’t always be trusted is an important lesson at any level.

Secure code is a complicated issue of course. I have a great book called “Writing Secure Code” and it is almost 800 pages long. Not realistic for a high school CS class of course. I do think we can and should spend some time on the topic though. Ideally in the context of various other topics during a course. A few stories, or even cartoons, may help make the topic more memorable.

High School Cybersecurity Course–What Belongs

The last few years have seen a huge expansion in the number and types of cyber security courses in high schools. Much of this has been driven by a growth in the realization that we, society, governments, businesses, need more help making our systems secure from bad actors. CS ed as career development. Great in career technical schools of course. Yet another CS elective in comprehensive schools as well. Pretty easy to sell to school boards and administrations.

The CollegBoard has jumped on the bandwagon with AP Career Kickstart Cybersecurity Pilots.  I did take a look through that program. To me, the first course looks a lot like a standard IT/Networking course. I guess that makes sense as a prerequisite. After all,step one of a secure network is setting up a network.

The second course looks a lot more like what I think about as cybersecurity. Could be a good course. I hope that some of the pilot teachers will share what they learn while teaching it.

I don’t know that all courses calling themselves cybersecurity are that deep though. From what I have seen, some courses that call themselves cybersecurity are mostly about staying safe on the internet. That’s not a bad thing as long as proper expectations are set.

One related topic I have been thinking about is writing secure code. Is there room for that in high school? On the other hand, are we doing students a disservice by not talking about it at all? That’s the area of cybersecurity I hope to spend some more time thinking about. I’m more of a coder than a network guy.

Should K-12 CS Education Be About Belonging in CS

I’ve been rather wrapped up in moving the last few weeks so haven’t been thinking about high school, or K-12, computer science education as I intended since my last blog post. Mark Gurdial thought has been doing some thinking. Check out School teachers don’t need to recruit students into CS: An alternative model for K-12 computing education for his latest post.

Mark has also been looking at the effort to rewrite the CSTA standards which I have been ignoring. Perhaps I should be paying more attention. Anyway, Mark argues that “Sense of Belonging in CS” should not be in the list of goals. When I read that line in Mark’s post I wondered what “sense of belonging in CS” actually means. Does it mean that students should see themselves as future computer scientists or software professionals or CS majors in university? All of that seems like over much to ask.

I’ve said for a long time that we don’t teach physics in high school to turn out more physicists (And similar analogies) Do we expect students to feel like they belong in physics? I don’t think so. We do want students to understand something about how physics impacts the world around them. And if they develop an interest in studying more physics that is great but its not a goal.

We do want students to exit high school knowing something about computer science. We want them to see how it impacts the world around them. I think we also want them comfortable with the idea that they cab do something with computers and computing. Helping them to see how computing relates to what their major interests are is great. Belonging in CS? Maybe a bridge to far.

Visit Mike Zamansky’s take here https://cestlaz.zamansky.net/posts/cs-for-all-or-all-for-cs/

Rethinking High School Computer Science

I love programming. I took a computer science course as an undergraduate and really fell in love with programming.While I made my living writing code for many years, my wife once wondered if I would have been happier with coding as an avocation rather than a vocation. That’s a bias I have no doubt taken in my teaching career. But is it the right bias for developing high school CS curriculum? I’m starting to wonder about that.

I’ve said in a number of ways that we don’t teach high school physics because we need for physicists. We teach HS physics to help students understand the world they live in. The same needs to be true for high school computer science.

A recent blog post by Mark Guzdial brought that into focus. (CS doesn’t have a monopoly on computing education: Programming is for everyone) The key line in that post was this: Computing education for non-CS majors is different than what we teach CS majors.

Now we talk a lot about computer science for all and that teaching high school computer science should not be about vocational training or just preparing students to be CS majors. But is that how we are developing our curriculum and our ideas about what students should be taught?

Note: The rest of this post is based on a comment I left on Mark’s blog post BTW.

Often we're lucky to have any CS courses even with improvements in recent years. SO having a variety of courses for different types of students seems impractical. High schools don't have the resources that universities do. Actually, small colleges and universities don't have the resources that schools like Michigan does!

But circling back to high schools which is my focus, what should we be teaching? For the most part, high school CS is largely still preparation for CS majors in university or for vocational preparation. The growth in cybersecurity courses in indicative of the vocational focus, for example.

Some schools do have the ability to offer multiple courses. It takes a larger CS program to do that though. The high school I retired from did adopt a course teaching Python largely at the request of the Physics department, for example. R is a big language in many university majors but we don’t see much R in high schools. Should we? I am not sure. Many schools will be limited to one or two courses that have to prepare everyone in any case.

Advanced Placement Computer Science Principles is probably the closest course available for computing education for meeting multiple computing paths. It's still controversial in HS CS with its perception in some circles as a watered-down CS course. It may just be the course we should be paying the most attention to though.

Writing requirements for HS CS is going to remain difficult though. Getting people to give up or even depreciate loops is going to be impossible. (Reading the Guzdial post makes that last line more understandable. Not all programming requires loops.)

Ultimately, high school computer science is all over the map from schools that offer little to none with few taking CS to schools offering multiple options and requiring all students to take some. Universities cannot expect students to have even a base level of CS. Some students are going to have huge advantages. And that makes me sad.

Writing Directions Is Hard

I finished assembling a new bed frame yesterday. I seems solid with good quality materials and seems well designed. The directions on the other hand left something to be desired.  Some things were unclear and resulted in some errors on my part. The “steps” were diagrams that usually clearly showed where all the pieces should go. It was not clear in what order things should be attached leaving the assembler to  make assumptions which sometimes resulted in things being more difficult than they might have been. In at least one place, it would have been helpful to say something like “leave some slack here until step x” where step X involved pieces that had to fit in with the pieces in that step.

And finally, saying that a piece goes on the left or right is less helpful if the instructions are unclear about if left is based on facing the headboard or facing the foot board.

So what does this have to do with computing? Well, I kept thinking about how a robot AI would assemble from these directions. I decided that a robot AI would require a lot more in the way of direction. Software, even so called artificial intelligence software, does not handle ambiguity well. Even things that are obvious to humans need to be spelled out for software.

We’re probably a long way from having general purpose robot assembling household furniture but even if the hardware was ready I don’t think we’re ready for giving it instructions.

We’ve joked about a “do what I mean” instruction for decades but even humans struggle with interpreting ambiguous instructions. We’ve all heard someone say “just do what I mean” expecting people to understand jargon or figures of speech. Those things require a knowledge of context and individuals ways of speaking that are often culturally dependent. Can we program all that into an AI? Maybe one day though I expect that AIs will have to work with people for a while to really get solid understanding. Each person may have to train the AI individually.

Circling back to directions. Today’s AIs like ChatGPT and others are given prompts. It often takes several iterations of prompts to get the results that users want from the tool. I have actually seen course descriptions that include learning how to properly give prompts. Yes, it seems that humans have to be taught how to talk to artificial intelligences. It seems to me that learning to program may be helpful here.

Programming is writing directions for the computer.  It involves taking very human prompts and writing directions that interpret what the user actually wants in terms that the computer understands. It involves removing ambiguity. Programming, and computer science more generally, help people understand the world of computing. That is becoming ever more important in understanding the world we live in every day.

I’ve been saying for a long time that we should not be focusing computer science in education as a career subject. We should be focused on helping students understand the world they live in. That is why everyone needs to learn some computer science.

CSTA Ends Free Membership

I suppose it was inevitable. In the beginning, CSTA only had a free membership. The organization was originally funded by outside sponsors. An NSF grant covered membership for the first six years. This was probably never really sustainable. After a few years, the CSTA Board, I was a board member at the time, started talking about paid memberships. Going totally paid, as most professional membership organizations seem to be, seemed like a big jump. Eventually, two tiers were developed. A free membership and a paid membership that had additional benefits. CSTA+ was born.

It was something of a struggle to define benefits to make a paid membership seem worthwhile but the differentiation grew over time. For many CSTA members, including myself, the fact that a paid membership was a positive financial support for the organization was really enough.

Things change over time and CSTA recently announced that the Plus was going away and there would only be paid CSTA membership. The benefits of a free membership, like the category itself, are going away. Joining a local chapter will require a paid membership. Participation in most chapter events will be limited to paid members. Local chapters can still hold events open to non (paid) members but there will not be support from the national organization for them.

Like many members, I am disappointed in the change. I am sure it makes some financial sense for the organization but it feels like they (I almost said “we”) are abandoning a lot of now former members. This is especially true of the many teachers who don’t self identify as computer science teachers. Many see themselves are math teachers or science teachers or elementary school teachers or , well, you get the picture, rather than computer science teachers. Many of these teachers are already paying members of organizations they identify more strongly with. Will they spend more money to join CSTA? Often, I fear, not.

Unlike many companies and some universities, K-12 schools don’t often pay for professional memberships. Some programs, like Amazon Future Engineers, will offer scholarships with some attendant hoops and commitments. Some teachers will get memberships through CSTA Conference registration which many districts will pay for in part. A lot of teachers will question the value. Sure it’s “only” $50 but we have a lot of underpaid teachers who are already spending out of pocket to support their classrooms.

We’ll see where CSTA membership is a year from now. Personally, I’m retired and I’m making a lot of decisions about my discretionary spending. I just renewed my ACM membership – paid. I don’t know if I will do so next year. I love the magazines and I download a lot of SIGCSE papers to read. They are not as relevant to me as a retired teacher but I love keeping up. For now at least.

I have loved being a CSTA member since the very beginning. It feels like my tribe. It has always been a highly inclusive organization. I’m still a CSTA+ member, or just member now, until this summer I believe. I will decide then about continuing or not.

H1B AI and the Future of Computer Science education

H1B visas are back in the news these days. One one hand we have some loud calls for more H1B visas with a claim that US native workers are not up to snuff. Or at least that there are not enough good ones locally. On the other hand, people claim that well qualified Americans are losing out because foreign workers are taking jobs at lower pay. That the call for H1Bs is all about saving money. Amidst all of this, American students are wondering about future jobs for them between artificial intelligence and H1B workers taking all the jobs.

H1B and both hiring and salaries are actually more complicated than many think. Some claim that H1B workers work for less but the law and most hiring companies payH1B workers and natives the same salaries.Plus it can be hard to hire H1B workers because of government rules and paperwork.

On the other hand, supply and demand are involved. If H1B workers increase supply than salaries may be lower for everyone. My friends and contacts in the software industry complain that there is an over abundances of programmers and that the need is dropping because of AI. Other industries may very well be different. I just don't know.

From what I have read a majority of H1B visas these days do got to software developers. Are Musk and Ramaswamy talking about a need for other types of engineers? Are we facing a shortage of other engineers? I don’t know but I will focus on computer/software types because that is where my expertise rests.

Some of that Musk and especially Ramaswamy are saying is that US student don’t work hard enough and that the US educational system is not helping. Leaving aside that many of the people who agree with them want to cut funding for education and make the system worse aside, what is happening.

I have taught a number of international students over the years. These students generally do work harder and show more respect for teachers and for learning. Ramaswamy is not totally wrong on that. The students I have had are not typical in many ways from their peers in their home countries. I would hesitate to extrapolate to what goes on in those countries. Lets face it, it takes a very motivated and privileged student to go study in another country.

Priorities are a bit off in some respects in American education though. Look at how many states where the highest paid public employee is a college football or basketball coach. In other countries sports and school are not as connected as in the US. How often to athletes get special treatment in American schools and college admission! And yet, students come to the US from all over the world to study at American universities. Clearly, we’re doing some things right.

Cost of higher ed is a turn off and a burden for many. Universities are spending money on some non-academic things to attract students which adds to the cost. That is in part, I think, because the US has cut funding that could help students get a good education. People forget that the greatest growth in the economy came from GIs getting free tuition after WW II. Reducing government funding of higher ed is a direct cause IMHO, for a perceived need for H1B workers. If Musk and Ramaswamy think there are problems with US education spending more money IS the answer.

What does this mean for American students? Well, for starters it means they need to do more to prove themselves. Years ago I was working for Microsoft on a competition called the Imagine Cup. International students took to it and worked their tails off. American students, especially those at top universities, said that there wasn’t enough prize money to make it worth their while. A degree from a name university was all they needed. They saw no need to try to prove themselves. Those days are gone! And good riddance.

A student today who wants a career in software or related fields can get it but they should not expect it to be handed to them. The evidence companies are looking for are not grades or what university you attended but actual evidence of accomplishment. A solid portfolio in GitHub for example. Or projects completed in an internship or working to help a non profit. Or perhaps building out systems for a small business. What did you do outside of classwork?

High school students work very hard to get into universities. They research what universities are looking for and they build impressive resumes. Too often they coast once getting into university. Oh sure, the academics can be hard and they have to work at it. But universities have all sorts of support for students once they get into the university. It is tempting to think that university is about having a good time before being handed a good job. That is the mentality that hurts students.

Can American students have a good career in computing in spite of AI and H1B visas? Absolutely, but they cannot take it for granted.