Tags: umd, csec
Previously: Announcing CMSC389R — "Introduction to Ethical Hacking"
As part of my last semester at the University of Maryland, I helped facilitate a 1-credit student-initiated course on ethical hacking. This is a writeup of what I learned from the process.
Mike, Josh, and I designed CMSC389R from the ground up: we wrote all of the slides, developed all of the homeworks and exams, and wrote all of the backend software needed to support 29 students.
All told, this took much more time than I thought it would — we needed to make sure that our slides weren't either too dense (50 minutes a week isn't a lot of time!) or too light (it's hard to keep people interested on a Friday afternoon!), and had to steer clear of topics that other courses would touch on more substantively.
We also had to control for what students had forgotten from earlier classes — our only prerequisites were CMSC216 and 250 (C/UNIX and discrete structures), and many students leave both with only the faintest memories of writing C and doing discrete mathematics1. Ultimately, we allowed students to do (most) challenges in their language of choice, and provided a Python skeleton. This ended up working out surprisingly well, especially considering that the CS department doesn't currently use Python in any lower-level courses.
The class was structured around weekly homework "challenges" designed to mimic those given during competitive CTF events. We only gave one exam (a midterm), with the "final" being a special challenge.
Coming into the class, I expected the grading process to be straightforward: students would get points for discovering flags and providing explanations, and lose them for failing to perform either task. I ended up being very wrong — it takes a lot of time to read the prose of 29 students, and even more time to figure out how to distribute points. Having three facilitators cut the individual work down substantially, but added an additional skew problem: I (initially) found myself grading students harder on the assignments that I designed, and easier on the assignments that my co-facilitators designed. Controlling for that took practice, and a lot of back-and-forth on individual problems and responses.
(p.c. Dave Levin)
More than anything else, I discovered how much I enjoyed teaching. Before this class, I had only ever given one-off presentations, usually to a medium-sized and pizza-satiated audience2. Lecturing on a weekly basis was immensely rewarding: I watched students go from knowing next to nothing about cybersecurity to participating in UMD-CTF and winning cybersecurity-related prizes at Bitcamp. It was extremely gratifying to see students take classroom materials and apply them to the real world (in an ethical fashion!).
It's the end of my undergraduate career, but hopefully not my last time teaching.
And so, a big thank you to: