Computer Security
Response to comments
  October 2004


Some comments made by students were fed to me via the Staff/Student Consultative Committee, and I am writing my responses here. I welcome further comments from students enrolled on the module.

Since the comments come from a small number of individuals, I took steps to solicit the opinion of a larger and therefore more representative set. Results of survey. I conclude that the views expressed are not held by the majority of students. Nevertheless, they are held by a minority and (being a member of several minorities myself!) I would like to address them.

  1. Unclear as to what we are expected to know... The complicated parts like DES and RSA seem fumbled through, we are told we are not expected to know how they work, just that we should know approximately how they work. If that is all we need, why not just present the algorithms at a much higher level of abstraction?

    I don't expect anyone to remember details of DES and RSA, but I do think it is important to have a feel for how they work, what they rely on. and what is  known about the theoretical properties of the algotithms. That is why the lecture notes contain a simplified version of DES: all the ingredients, but fewer rounds and fewer bits. A very abstract presentation would not give you any feel for what is really going on, while presenting the full algorithm risks being boring. I don't see how else to do it but the way I have done.

    The learning outcomes say that you are expected to demonstrate understanding of a range of problems of computer security, and the available solutions and tradeoffs, and to describe and evaluate security applications and techniques described in the literature. This means you have to understand DES and RSA in the sense of being able to explain what the role of S-boxes or modulo arithmetic is, but you are not expected to be able to describe the algorithms in detail from memory.

  2. What he teaches is too mathematical and doesn't really touch on what we need to know for the exam or on anything useful.

    Computer security is substantially based on notions which could be considered broadly mathematical, and I don't think it is possible to understand it without using some mathematical notation such as used in the lecture notes. I try to explain principles and ideas rather than particular products and technologies, because I think that products and technologies will change quickly while ideas and principles will last longer. The student seminars, however, are likely to focus more on technology, providing a balance for the module.


  3. Waste of time - I know what a firewall/virus scanner/spyware is. If there was more technical content it would probably be worthwhile, but the lack of this, coupled with the hugely overfull classes. make it a waste of time.

    You have the diametrically opposite view to the writer of the previous comment, which shows me that it would be impossible to satisfy everybody if ever I were tempted to try. Actually, I have hardly ever mentioned firewalls and virus scanners, but we did have a guest lecture on spyware which I found interesting. I wondered if you are right that the audience already knows the content of the lectures. I think the survey shows that they do not. Moreover, since receiving your comment I have tested whether what I am saying is known to the audience or not, by asking a question and trying to solicit answers. On several occasions no-one was able or willing to answer, which has led me to think that students don't know in advance the point I am making and that this person's view is an isolated case.

    Sorry that you think the lectures are overfull. There are 40 people registered on the module.

  4. Dr Ryan mentioned that the concepts and ideas are more important than the details, yet these were mainly skipped over in lectures and the technical details taught instead.

    Hmmm, I suppose it is hard to focus on concepts and ideas alone. I needed some technical details to convey the ideas. But nevertheless it is the ideas that are important.

  5. Basically my opinion is that Mark Ryan doesn't seem to know the subject all that well -- all he does is read off the lecture slides.

    I hope you are wrong on both counts! Of course I know the subject of each lecture very well, although I am aware that computer security is a vast topic and I certainly don't know it all. I also think you are unjustified in saying that I just read the notes. That is not my style at all. I prefer to involve the audience and get interaction going. It has certainly happened that what is written on the notes has taken me by surprise, because it is a while since I wrote them and I have sometimes had to give the lecture without finding the time before it to re-read the notes. Perhaps these occasions have triggered your comment, but I think the comment as a whole is not justified.