Tiny Book of Simple Cryptography

For the last several years, I have been playing around with simple cryptography. I have made some of results of this available as a free PDF download as a book I call Tiny Book of Simple Cryptography. (TinyCrypto.pdf) I recently put some additional work into it and the latest version is available at the link above.

There are currently a baker’s dozen cryptographic methods described in the book. (List at the bottom of this post) Each write up includes a section on:

• Introduction
• Encrypting
• Decrypting
• Cryptography Issues
• Project Suggestions

If a PDF is not to your liking and you would like an actual book, I have created a book you can order through Amazon.com. Maybe for a classroom or school library? Or maybe because you find books easier to browse through. It’s there. There is also a Kindle version available here.

 

Methods covered

• Caesar Cipher
• Vigenère cipher
• Wheel Cipher
• One Time Pad
• Polybius Square
• PigPen Cipher
• Columnar Transposition Cipher
• Keyword Columnar Transposition Cipher
• Random Block Transposition Cipher
• Steganography
• Bacon’s Cipher
• Book Ciphers
• Playfair cipher

Teaching The Writing of Secure Code

One of the great problems of teaching computer science is that there is a limited amount of time to teach and an unlimited amount of things that can be taught. There is very little degree of agreement of what must be taught. Teachers do the best they can but there is a good amount of variation on what gets taught. One thing that seems to always (or close to always) get left out is writing safe and secure code.

Few teacher give more than a cursory mention of error handling for example. The try/catch keywords get a little use but not much. For the most part, when a student program goes wrong it just crashes. Student programs tend to depend on the user entering information in the way the program is set up to receive it. This works, more or less, in the context of student projects because the projects are generally designed to test or use specific concepts other than error handling.

Outside of school, validating data as it is input is pretty important. There is a classic XKCD comic that highlights this idea. Bonus as it includes a school context. This is one way to at least talk about the concept even if there isn’t a lot of time and ability to reenforce it with a project. Though, string manipulation projects are sometimes a good way to talk about writing code to force specific forms of data formatting.

 

Back in the day, learning C (before C# or even C++) we talked a lot about memory management and things like overflowing strings and buffers. Ignoring those things was a major cause of security breaches. That’s probably true today as well.  Modern languages with string objects, garbage collection, and other forms of memory management reduce some of the risk but students will benefit with some discussion of the topics. 

Another topic that merits some discussion is validating where inputs come from. Data from a user input is obvious, usually.  Data from files a bit less obvious. Data from other code is the least obvious and potentially the highest risk.

Many years ago I was part of an operating system development group and we were adding many layers of security. Great stuff but we thought a great deal about making sure the right security information was passed along. Code deep in the OS was responsible for sharing security information with user level code. We worked hard to make sure that only trusted information was allowed to reach different levels of code. We also worked hard to make sure that only reliable information went down to lower levels.  That users can’t always be trusted is an important lesson at any level.

Secure code is a complicated issue of course. I have a great book called “Writing Secure Code” and it is almost 800 pages long. Not realistic for a high school CS class of course. I do think we can and should spend some time on the topic though. Ideally in the context of various other topics during a course. A few stories, or even cartoons, may help make the topic more memorable.

High School Cybersecurity Course–What Belongs

The last few years have seen a huge expansion in the number and types of cyber security courses in high schools. Much of this has been driven by a growth in the realization that we, society, governments, businesses, need more help making our systems secure from bad actors. CS ed as career development. Great in career technical schools of course. Yet another CS elective in comprehensive schools as well. Pretty easy to sell to school boards and administrations.

The CollegBoard has jumped on the bandwagon with AP Career Kickstart Cybersecurity Pilots.  I did take a look through that program. To me, the first course looks a lot like a standard IT/Networking course. I guess that makes sense as a prerequisite. After all,step one of a secure network is setting up a network.

The second course looks a lot more like what I think about as cybersecurity. Could be a good course. I hope that some of the pilot teachers will share what they learn while teaching it.

I don’t know that all courses calling themselves cybersecurity are that deep though. From what I have seen, some courses that call themselves cybersecurity are mostly about staying safe on the internet. That’s not a bad thing as long as proper expectations are set.

One related topic I have been thinking about is writing secure code. Is there room for that in high school? On the other hand, are we doing students a disservice by not talking about it at all? That’s the area of cybersecurity I hope to spend some more time thinking about. I’m more of a coder than a network guy.

Looking Forward to Computer Science Education in 2024

“Prediction is very difficult, especially if it’s about the future!” --Niels Bohr

My track record at looking forward in CS education is a mixed bag. I kept expecting a big jump in internet of things courses and those never developed. Sad really. I think it would be a good idea. I keep predicting growth in cybersecurity courses and the past year seem to show a lot of growth there.

Cyber security is getting a lot of press so I see more of these courses in 2023. I hope they are real in-depth courses and not just how to stay safe online. Teacher interested in this should follow the Cybersecurity Educators group on Facebook.

I predict that Artificial Intelligence will be a big deal in CS education in 2024. OK, that’s easy. How will it play out? Well, that is a different question. Certainly teachers are going to be concerned about AI tools helping student cheat. Some, the better teachers, will find ways to use AI tools. For example, having students evaluate the generated code. Does it cover all the conditions? How can prompts be better for better results? It the generated code any good? What does “good code” even mean?

There will also be a growing movement  to teach about AI. How does it work? What are it’s limitations? What are the ethical and social impacts of AI? So much the teach and learn for students and for teachers. We’re only getting started.

Another easy prediction – Python will continue to grow in use.AI libraries will drive some of that for sure. A lot of teachers seem to prefer it to Java though so there is that. Will it replace Java for APCS A? I doubt it. IT will be interesting to see how the JavaScript/Python balance develops in AP CS Principles though. Keep an eye on it.

Unfortunately, I predict continued growth in the number of unprepared CS teachers. I wrote about this in my looking back post and I have no expectation of improvement anytime soon. Looking Back on Computer Science Education 2023

One big thing I wonder about is DEI in CS education. Will the politics and demonization of DEI impact how CS it taught? Diversity, Equity, and Inclusion are pretty important if we’re going to really make progress in computer science. Having a white and Asian mal monoculture has not, in my opinion, led to a good CS ecosystem. We need diverse thought in CS. I may have another post just on that subject.

At the same time, we need to be careful in PD and conferences that we don’t only talk about DEI. I’m not seeing a lot of disagreement on the idea that we need to have diversity in the industry and our classrooms. Teaching equitable is also a no brainer. And inclusion? We’ve pretty much agreed on the need for that in education. Do teachers need to be beaten over the head to see the need? Not the ones I know. At some point too much preaching to the choir is going to result in a backlash that we can ill afford. Let’s not assume that teachers don’t understand the problems. Let’s focus on solutions.

I’m really looking forward to the annual CSTA conference this summer. It’s going to be greet. This summer we will hear what teachers have learned over the last year or two. Being in-person means a lot more interaction.  I may have to make a mid-year post about the 20224/2025 school year after the conference.

So what to you see happening in CS Education in 2024?

Book Recommendations for CS People

tl;dr Book recommendations:

• Overnight Code: The Life of Raye Montague, the Woman Who Revolutionized Naval Engineering
• Code Girls: The Untold Story of the American Women Code Breakers of World War II

Overnight Code was recommended to me after I recommended Code Girls on Facebook. Overnight Code is a truly inspiring story of a woman with two strikes against her (female and Black) whose hard work, determination, and talents helped her do some revolutionary work in naval engineering and integrating hardware/software systems.

Debugging code is arguably a lot harder than writing new code. Raye Montague was amazing at debugging code and integrating disparate systems. But also a good person who helped mentor and advance others. She was given tasks that others had said were impossible to complete. Talent and hard work (Raye had a lot of both) allowed her to accomplish beyond expectations.

There is a lot of good career and life advice woven into this story as well. Advice for everyone. I could have benefited from this book early in my career.

"Code Girls: The Untold Story of the American Women Code Breakers of World War II"  was recommended by several people in a Facebook group dealing with a Kindle Challenge that Amazon is running. The idea about code breaking sparked my interest right away. This book was more than just that though.

There were plenty of insights into code breaking but the look into the lives of these amazing women was the highlight. It was a different time and women would not as respected as they should have been. Yet, these women put their considerable talents into working for the war effort and their country.

Code breaking is a fascinating subject in itself of course. I enjoyed reading about the “bombe” machines, how they were created and used. I also found the difference that code breaking made in the conduct of the war (World War II) to be interesting. This is not the sort of thing many history courses cover.

It’s easy to label these books as books for Women’s History Month or the Raye Montague book as being for Black History Month but that would be a mistake. These are books for all year long. I recommend them to anyone interested in the progression of computing in society. Code Girls is a great read for cybersecurity or cryptography students. Overnight Code is a powerful read for anyone not just computer science people. It is just that inspiring.

Looking Back and Looking Forward in CS Education 2023

Traditionally I write a year end look back on thee previous yest in CS education. (Last year at Looking Back on Computer Science Education in 2021) Honestly, that post would largely work for 2022 as well. I attended SIGCSE, CSTA, and the New England Regional CSTA conference. They were all great. There was good learning at all of them. But new stuff? Not a whole lot. A few new tools. Some new robots. Some new AI and cyber security curriculum. But really not a whole lot.

I think we’re in for some disruption in 2023 though. Tools like ChatGPT and GitHub CoPilot are probably only the first of tools that are going to shake things up in teaching programming. Are we even going to still teach programming in computer science? If not, what will computer science courses look like? If we are still teaching programming how will we do it? What will it be all about?

We’re still going to see a need for teaching about cybersecurity for sure. Artificial Intelligence is also going to be more important. We’re seriously going to have to think about how we teach about it. We have to include not just how it works but how it should be used. Ethics in computer science has never been more important.

The discussion about ChatGPT and what it means for education in general and CS education in particular is going to be ongoing. We have to reink how and what we teach. It’s going to be an interesting year. Have you been thinking about it? What are your thoughts so far?

Note: I highly recommend Mike Zamansky's blog post at Kicking off 2023

Cyber Security and CS Education

Way back in time, cybersecurity was all about controlling access to the computer in the locked room with the raised floor. Well, you had to trust the people you did let in of course. I will not say much about the students I went t university with who competed to create the best, most realistic login emulator to steal passwords because, you know, that was all in fun. Later in life I actually had supporting the real login software as part of my job responsibility.

We were more aware of security by then. It was the real world. We spent a lot of design time on our various OS subsystems to make sure that access was verified and that people could only access what they were authorized to access. Dial in lines and then networks made things a bit more risky. I remember one system that required a second password of 16 random characters that changed every 5 or ten minutes (I forget which). Someone broke in anyway. Social engineering not technical engineering. People were and are still the weak link in computer security.

In the early days few people had access to a computer. Fewer still had technical knowledge enough to crack into systems And most of them were (it seems) fairly trust worthy. As more people got access to both computers and knowledge breaking into systems became more common.

Today there is a lot of talk about cybersecurity and the need for more people to be trained in the field. What does that mean for high schools? For one thing, it means a lot of people are saying that high schools should teach it. What teaching cybersecurity means is a question with still developing answers.

Should schools offer a whole course in it or can they cover enough in an existing course? If a full course, a semester? A year? Some part of a year? You’ll get a lot of answers but little in the way of a consensus. A lot of discussion about this on Facebook group for  Cybersecurity Educators. Resources at CYBER.ORG are helpful as well.

For now, individual schools are making their own decisions. These decisions are based on things like teacher knowledge to teach such information, room in the schedule, and resources available. Some school IT departments are not willing to let students experiment on networks in a school. Or even, in some cases, to have students learn about network vulnerabilities! I suspect that career technical schools are going to be the main source of high school courses in cybersecurity. There is less focus on AP exams and more focus on preparing students for the work force sooner rather than later. Oh yeah, colleges and universities but they are not my focus.

Comprehensive high schools are more likely to add some cyber security information into existing courses. AP CS Principles for example. A few will have longer courses but I suspect most of those will be independent high schools and charters as they have fewer restrictions and their politics is different. (Different does not always mean better or worse to be clear.)

Maybe when (if?) we get to a place where the learning of coding is done well enough and deep enough in middle school we can move away from HS courses that “just” teaching programming and start using that programming to learn about other things in computer science. Like cybersecurity. Like data science (although we are seeing some of that in middle school already (Bootstrap:Data Science ) which is pretty exciting. And like more artificial intelligence.

Programming is cool (to me) and important (to everyone!) but there is more to computer science than programming. Security is an important part of that and high school CS educators have to have it on their radar and give serious thought to bringing it into their curriculum.

My Day Four at #CSTA2022

It’s a short day today but with plenty to learn. Last night was a great party at the Museum of Science and Technology. I left early (age?) but I know that a lot of people stayed late and partied hardy. There may be some tired faces in sessions this morning. It was a great community building event so well worth it.

First session for me was “You CAN Teach Cyber Security with CYBER.ORG’s Cyber Learning Standards. CYBER.ORG is probably the premier Cybersecurity learning/teaching resources. CYBER.ORG is funded by the US Department of Homeland Security. We heard about a lot of their programs. It seems like they have something for almost everyone. I would start there for Cybersecurity resources for teaching.CYBER.ORG funded a large group of educators to write a set of Computer Science Learning Standards.

I had several good options for the last time slot but Nifty Assignments is a must see for me. The version at SIGCSE is always standing room only but apparently it is not as well known at CSTA yet. Baker Franke does a great job of putting this session together. For reference, CSTA Nifty Assignments are archived at CSTA Nifty Assignments SIGCSE Nifty Assignments are archived at Nifty Assignments. I was paying to much attention to take much in the way of notes but the archive should be updated soon. One of them can be played at Mind Reader - App Lab - Code.org The archive is updated and I can’t wait to try some of these when I get home.

That’s a wrap for me. I skipped the closing keynote to get to the airport early. I feel a little guilty but I’m also tired and my brain is kind of full. Some more general thoughts tomorrow.

My Day Two at #CSTA2022

Day two started off great as I connected with several people from my home CSTA Chapter –CSTA New Hampshire. The CS community in New Hampshire is growing and the CSTA Chapter has been a part of that. I’m planning on getting more involved in chapter stuff  in the future.

My first session of the day was about teaching ethics when teaching artificial intelligence. Jeremy Keeshin (a last minute replacement as I understand it) from CodeHS was the presenter.  Seems like some good small group discussions took place. Maybe I was tired but I didn’t get into it very well. My fault. Wasted opportunity. I did get a copy of Jeremy’s book “Read Write Code” which I look forward to reading.

Next up for me was a session on preparing the future developers of the metaverse.  The presenters were from Carnegie Mellon. First I have heard of XR as a generic term to include Augmented Reality, Virtual Reality, and Modified Reality. We had some really interesting discussion of using virtual worlds in school. One school had a virtual birthday party in Minecraft. Minecraft has moved from pure play to an educational platform.

Students are picking different virtual worlds to play in as they age.It occurs to me that younger kids are building things in games like Minecraft and Roblox but older students, especially boys, and moving to games like Call of Duty which are more destructive. Something to think about.

My number one to look more into is Arena XR – An Augmented Reality Edge Network Architecture.

I really enjoyed this session and had some good interactions and learning with my tablemates. Slides for this session are at CSTA2022 NoStudentLeftBehind.pdf - Google Drive

Lunch break and more time in the exhibit hall. I got a close look at the Jacdac devices for use with a Micro:Bit. I may splurge and buy a starter kit. Note that I posted a brief look at Microsoft and other big companies exhibits at Amazon, Google, Meta, and Microsoft at #CSTA2022

First afternoon session was about writing for Hello World magazine. I was proctor and arrived before it started but after most people entered the room. Watching the clock is important as it is so easy to get distracted with so much going on. Anyway, the slides for this talk are available at CSTA_Writing Workshop Presentation.pptx - Google Slides  A lot of good stuff here. I hope this gets more teachers to write for the magazine.

Next up was a session on cryptography with an exercise in creating a Pringles can Enigma machine. We started the session with an brief introduction to Cyber.org and with an introduction to the Pigpen Cipher. (Note that this is one of the ciphers covered in my (PDF) free Tiny Book of Simple Cryptography)  We had some fun creating our mini Enigma machines and working though how they work. We only used one rotor but I brought home some sheets to make a larger one with a larger can when I get home.

Overall, a pretty good day. Some very good sessions, some good conversations at the exhibit hall, and many amazing face to face conversations with friends. I am exceedingly glad to be here this year.

Last Mile Education Fund–Making a Big Difference

We often underestimate the difference that small things can make. When I was in high school all I could afford was a cheap plastic slide rule (no calculators back then) and it really slowed me down with math. I sometimes wonder what a more expensive and accurate slide rule would have done for me. I had other privileges and did well in the long run. But that is not the case for everyone.

Privilege often gets conflated with potential when in fact a lot of potential gets short circuited because of obstacles that are more common for non-privileged students. Things that are non-issues for many become showstoppers for far to many others.

Picture a student with great potential in computer science who can’t afford a good laptop? Or cannot afford her textbooks or lab fees? Low income students often take longer to graduate because they don’t have adequate preparation and need some extra courses and time to catch up. That often means they run short of funds even with the finish line in sight.  Even good scholarships often leave gaps in funding that limit students from underprivileged backgrounds.

That’s where the Last Mile Education Fund is making a difference today. From the mission statement of the Last Mile Education Fund:

  “The Last Mile Education Fund takes an abundance approach, investing in a broader group of students already committed to technology and engineering fields, providing support for challenges they face beyond their control, and incubating them to be the next generation of innovators. “

Last Mile Education Fund invests in striving, low-income students pursuing degrees in the high-demand fields of technology and engineering to support them in their last mile to graduation and into a career.

A number of grant programs are available. Some of them specifically for female and non-binary students but a number of them are available to all genders.  The Microsoft Cybersecurity scholarship is for community college students of any gender for example. Full information about these opportunities is available at the Current Funding Opportunities page. I have links attached to some that have pages with more details.They include:

1. EMERGENCY MINI-GRANTS
2. Bridge Grants
3. LAST MILE GRANTS
4. MICROSOFT CYBERSECURITY SCHOLARSHIP PROGRAM
5. NORTH TEXAS BIOTECH WORKFORCE FUND
6. REU PARTICIPATION FELLOWSHIP

If you know of students who could take advantage of these grants please spread the word.  And let teams/people at universities and colleges who support low-income students know about these programs as well. They can help a lot of high potential students with some hurtles that could but shouldn’t hold them back.

Looking Back on Computer Science Education in 2021

I’ve never felt less prepared to write a look back on CS education than I do today. I’ve been retired from most of the year and the world has been changed a bit because of COVID. I have noticed some things have clearly happened. One is the increase in online development tools which I talked about a year ago. The other is an apparent growth in cyber security education.

I’ve also noticed some increase in virtual reality programming courses as well. How that will go is anyone’s guess. There are two barriers. One is that VR hardware is still expensive. It’s not just devices like the Oculus but also computers capable enough to support VR and its development. A lack of training is also a barrier. Most teachers seem to be learning on their own with help from documentation and videos from companies. That and some support through social media from other teachers.

The Unity Teach Community has well over 2,000 members and is very active. I highly recommend it if you are looking to get involved in teaching VR.

Online teaching and programming tools have really taken off. The code.org courses support this sort of thing but they are far from the only option. CodeHS for example shows up a lot in social media discussions. As does Coding Rooms. And repl.it. I should probably collect a list of them for a future post. Perhaps you could add your favorites as comments and help me out?

Cyber security has also seen a lot of growth. Cyber.org has a lot of materials and provide cyber security professional development. Social media support for teachers coming from teachers has also been growing. I recommend the Cybersecurity Educators Facebook group. Over 1,000 members and active and growing. This field is going to boom as security gets more attention all the time.

Every year I expect  the Internet of Things to take off but it never really does. The pandemic has made doing any sort of physical computing more difficult. But I keep hoping.

Machine learning and artificial intelligence didn’t seem to pick up a great deal but it is growing. AI 4 K12 has a lot of useful resources from teachers and I recommend checking them out. Most of what I see in K-12 AI is units in existing courses and not specific full courses. That’s probably best at the K-12 level. The math and coding involved in creating AI from scratch is intense. Learning how to use existing tools is both useful and age appropriate.

So progress has been made and that’s a good thing. 2022 should be interesting. Hopefully, in a good way.

Notes on Day Three of #CSTA2021

No morning help desk duty for me today so I watches the whole “Morning Java” session. For those of you not at CSTA, Moring Java was an introduction to the day with our conference chairs and guests. Today.Michelle Lippoli, Senior Operations Manager (Events and Membership) for CSTA, talked about all the work that goes into running a conference like this one. And it is a lot of work! Next year CSTA will be in-person in Chicago. There is a lot of excitement about being able to meet in-person but I hope we have the virtual option as it makes the conference possible for so many more people.

First session of the day for me was Nifty Assignments. Though I was tempted by Python and Micro:bit…on a Calculator? and I will look for the video in the future. Nifty is a conference favorite. The idea started at SIGCSE (See more on that here) and I have used projects from previous sessions at CSTA and SIGCSE.

Michele Lombardi - Unplug the Internet!  9-12
Review internet vocabulary, how messages are sent, and introduce potential cyber attacks using this unplugged internet simulation.

I’ve done something similar but I love the forms she uses and the other information about things to do.

Cindy Gonzalez - Bring your 3D world to life!  K-5
Design a 3D design in Tinkercad, upload your design to Cospace, code your design & enter your 3D world using the DoInk Green Screen app

Talk about making students creators and not just consumers. I love the cross curriculum opportunities.

Roger Jaffe - RSA Encryption Without the Math  9-12
How to teach RSA encryption without having to teach the math

I struggle with teaching public key encryption so this set of resources looks very exciting to me. I can see using this lesson in Advanced Placement Computer Science Principles.

Learn more about CSTA Nifty Assignments at: https://sites.google.com/site/cstaniftyassignments/

After Nifty Assignments, I attended Teach Cybersecurity. Change the Future/ (Slide deck here) Did you know that there are guidelines for what to teach about cyber security? There was a lot of discussion about teaching cyber security in the chat. A lot of teachers are, not unreasonably I think, worried about students misusing the knowledge. The Teach Cyber program, and every other program I have looked at, included ethical thinking integrated into the curriculum. This is a curriculum worth looking into if you are thinking about adding a cyber security course.

Last mini session of the day for me was My CSP Experiment – teaching Advanced Placement CS Principles with two different programming languages at the same time (JavaScript/AppLab and Python) This teacher developed a detailed scope and sequence with dates and time and then mapped the concepts to unites from different curriculum programs (code.org, CodeHS and others) Concepts were taught largely with pseudo code and unplugged activities. That was a lot of work. I really admire her skills. (Slides are here)

Well, that’s a wrap for me. It’s been a great conference and I learned a lot. I’m glad I don’t have to travel for hours to get home.

Tiny Book of Simple Cryptography

I've been playing with simple cryptography. Mostly stuff that was solid before computers. Just for fun mostly but some of it may make for interesting projects for students. I've written a little bit about the things I have been playing with.

This is not a big book and it is intended more to spark interest and not to be a real reference book. There are footnotes linking to Wikipedia articles that would be a good next step for learning more.

I have a couple of substitution ciphers and a couple of  transposition ciphers. Added some Steganography. 

http://www.acthompson.net/TinyCrypto.pdf

Comments and gentle criticism welcome. I have coded solutions in C# that are ok. Some of them even have comments.

Updated 5 March 2021 to include a brief chapter on the PigPen Cipher. Also some minor edits in other sections.

Coding For Fun and Mental Exercise

Recently, I started reading a book about the mathematics of cryptography. (Mathematics of Secrets) Fascinating. A lot of the math is hard (to put it lightly) for me but the stories that go along with the development of it all are fascinating.

So far I have learned a few things and made my Caesar Cipher program much more efficient. I really need to revisit my Vigenère cipher program and make it more efficient and more interesting. The other night I coded up a quick transposition cipher. It was fun and once I got the algorithm down in code it was easier to get to sleep. Writing the code does help me understand what I am reading and that is a real benefit.

We’ll see how I am feeling when I get to the chapter on public key encryption. So far, I am sticking with the easy math and playing with ciphers that are far from modern cryptography. I'll leave that to the professionals.

Caesar and Vigenere are common enough programming assignments but I may write up the transposition cipher as a project for future use. If not for my own classroom for a project book I have in mind. Miles Berry pointed out that teaching ciphers by having students write a little code and experiment with different variations is much more fun and engaging for students than exercises away from the computer. Doing this stuff by hand can be a bit tedious.

For now though I am finding some pleasure is writing some not very complicated code as a way of exploring ideas that I am learning. I’ve had a chance to play with some libraries and methods that I haven’t really gotten to use before. That’s been fun. So much of my coding the last couple of years as been limited to the stuff I teach in a first programming course. I’m using this time to stretch myself a bit. Perhaps get my coding “muscles” back in shape.

In any case, for me,  coding == fun

Password Checking Tools

Neil Plotnick shared some Password Checking Tools on Facebook recently. I’ve used some of these in the past and find them useful and instructive.

• https://howsecureismypassword.net/
  Allows the user to quickly determine the speed in which a computer can crack a given password.
• https://password.kaspersky.com/
  Similar with some good suggestions to make them more secure.
• http://www.passwordmeter.com/
  Detailed indication of what makes a password more secure.

The more security aware of my students always ask me how safe it is to use these websites. I tell them to use things they think are good passwords but not ones they actually use. Some of the sites make the same recommendation.

The first two sites above give an estimate for how long it would take a computer to brute force crack the password. The estimates don’t always agree. This is not surprising as they are probably based on some slightly different assumptions. The time scale is more important than the actual number though.

The third site explains why a password it strong or weak which is very useful. One thing that is interesting is the impact of special characters. I have run into a number of sites that don’t allow special characters in passwords. I find that surprising and wonder why that is. I’d rather require their inclusion.

Having students in a programming class write their own password checker is a great exercise by the way. It helps reinforce string manipulation, general parsing concepts, and password safety all at the same time.

CSTA 2019 Day 3

So I missed the opening keynote which I am sure was amazing but I spent the time catching up with a good friend who I see too rarely. Time well spend. Leigh Ann Delyser from CS for All sometimes talks about the CS community as her grown up summer camp friends. I have to agree. The face to face time with friends at a conference makes the communication between in real life meetings much better.

My first session of the day was a panel about advancing equity and diversity. It really focused a lot on curriculum and how to teach to ALL students. Not a limited focus on girls or under represented minorities but a realization that diversity requires welcoming environments for ALL students. There was also some good discussion about creating projects that are open and inclusive for students of different abilities and backgrounds. This is just one time when curriculum in general and finding the right projects for the classroom. I need to think about writing up more on that topic.

My last session before lunch was a series of three mini sessions. The first was on Engage CS Edu. This is a curated site with projects of various types and concepts for CS educators. It is “Foster diversity in your introductory computer science courses with quality content and engaging pedagogy” This looks very helpful as I am always looking for engaging projects that work with diverse students.
The second mini-session was on How to effectively Manage a CS class and was mostly about how CodeHS helps this teacher manage his courses. If I were looking for a new curriculum I would take a serious look at CodeHS. CodeHS has both free and paid levels.

The third mini-session was Building a Cyber Center for Excellence. They seem to have a very impressive cyber security center at Grand Canyon University. I don’t think a lot of it is reproducible in a high school but some of it it. The speaker has a free guide containing High School Cybersecurity Education Websites and Resources which  I did download and a not free ($3.99) ebook called “Beginner’s Guide to Developing a High School Cybersecurity Program” so I can learn more.

Overall, a very good conference for me. I learned a lot and I have ideas for the new school year.

Oh and next year’s CSTA Conference will be July 11-15 in Arlington Virginia.

Post-secondary Cybersecurity Curricular Recommendations

There is more computer science than we could ever cover in grades K-12. So much of it is important and exciting. Every parent open house I get suggestions for what we  should teach in high school. There is no way we can teach it all. There is no way we can do everything in universities either. One other thing is clear, cyber security is growing in importance. While I try to cover a little of it in my courses (easily fits a few classes in several courses) I can’t cover as much as I’d like. My hope is that universities cover a lot more. I think most do.

The ACM and IEEE have just reported out a document to help post-secondary schools design their cybersecurity programs. I haven’t read the whole document yet but I know some of the people involved in writing it  and in the process that goes into creating documents like this. so I am confident in recommending it.

Do you cover cybersecurity in your curriculum? How much do you have time for?

---

First-Ever Global Curriculum Guidelines Reflect Worldwide Demand for Qualified Professionals and Urgent Industry Needs

After an extensive two-year process, a joint task force led by the Association for Computing Machinery (ACM) and the IEEE Computer Society (IEEE-CS) has released a first-ever set of global curricular recommendations in cybersecurity education. This new set of guidelines, Cybersecurity Education Curriculum (CSEC2017), is designed to be the leading resource for comprehensive cybersecurity curricular content at the post-secondary level. More than 320 advisors drawn from 35 different countries contributed to CSEC2017.

Phillips Academy Capture the Flag 2018

Those of you with interests in working on cybersecurity with your high school students this Capture the Flag event will find this to be of interest.

---

PACTF is back! PACTF 2018 begins Monday, April 16. Like last year, PACTF will work around your schedule and have a challenge for you, whether you’re a seasoned CTF veteran or just beginning. This year, we are proud to offer over $20,000 worth of prizes to the top 150 teams.

Short for Phillips Academy Capture the Flag, PACTF is a computer science and cybersecurity competition for high-schoolers. PACTF is brought to you by Amazon, DigitalOcean, and JPMorgan.

There will be two week-long rounds: from April 16 to April 23, and from April 23rd to April 30, 2017. During each round, you can pick any 48-hour span to compete with your team.

Registration is open — sign up now!

Happy hacking,
The PACTF Team

Cyber Security or Just Good Program Design?

People continue to share things that they learned at SIGCSE online. Recently Ria Galanos, from Thomas Jefferson HS, shared Cybersecurity Modules: Security Injections|Cyber4All @Towson These ae a bunch of modules for teaching about various security issues like integer errors, Input Validation, and buffer overflow. Examples are in a number of languages including C++, Java, and Python. Looks like great stuff really.

From what I understand the majority of security vulnerabilities in software are a result of one of these three types of errors. Clearly they are important concepts but we don’t spend a lot of time talking about them in beginner classes. That probably needs to change.

It seems like we keep adding things to what we should be teaching beginners. Ethics, Accessibility, Security, and let's not forget the stuff for the AP Exam. How do we fit it all in?

Ultimately we have to do things in parallel. I think we have to think about ethical computing, safe programs, and accessible software as all part of good, solid program design. I think it is a mistake to think about all of these things as separate units to be taught in isolation. Projects can be created that integrate security, accessibility, and more by defining them all as good design. Not something special to do just for security or just for accessibility but for sound design.

Now to go look at my projects and see how to do all of that.

Joint Task Force on Cybersecurity Education Draft Report

The Joint Task Force on Cybersecurity Education is working on curriculum recommendations for post secondary schools but I think their work will be of interest to teachers of other levels as well. It is probably going to be interesting to cyber security professionals as well. Their latest draft report is now available for download and comments at CSEC2017 v. 0.95 Report

Take a look. More information at the Joint Task Force on Cybersecurity Education website.

---

The JTF was launched in September 2015 as a collaboration between major international computing societies: Association for Computing Machinery (ACM), IEEE Computer Society (IEEE CS), Association for Information Systems Special Interest Group on Security (AIS SIGSEC), and International Federation for Information Processing Technical Committee on Information Security Education (IFIP WG 11.8).

The JTF grew out of the foundational efforts of the Cyber Education Project (CEP).

Purpose...

The purpose of the Joint Task Force on Cybersecurity Education (JTF) is to develop comprehensive curricular guidance in cybersecurity education that will support future program development and associated educational efforts.

The curricular volume, CSEC 2017, is estimated to be published in December 2017.