Tuesday, August 16, 2022

Learning Secure C (was Re: Geomant - Would you review my first C project ?)

Hi Ingo,

Thanks very much for taking a moment to reply. Since it is a public
mailing list and not everyone may be aware of the context of my
question, I will respond with some clarification.

On Monday, August 15, 2022, 06:14:43 p.m. PDT, Ingo Schwarze <schwarze@usta.de> wrote:

>Hi Jason,

>> As long as learning C came up, does anyone from the OpenBSD community
>> have an opinion on whether this training for writing secure C would be
>> worthwhile for someone with mid-level skills?
>> https://www.sei.cmu.edu/education-outreach/courses/course.cfm?courseCode=V35

> This isn't perfectly on topic, but i doubt you will find overwhelming
> enthusiam for the purchase of a "professional certificate" on an
> OpenBSD list.

This was recently established for me on the OpenBSD Facebook group, and
I was in agreement: certs only matter to recruiters and bureaucrats. My
question was more about getting some expert opinion of the quality of
the content than whether it provides a serious credential. At very
least by reputation I would consider the OpenBSD project one of the
better sources for security expertise in C.

> I know several people inside OpenBSD and a number outside whom i
> would trust to be able to code to good security standards, but if
> somebody presented me with a certificate, that would more likely
> inspire significant doubt than any kind of confidence in me, no
> matter how reputable the organization issuing the certificate...

Interestingly, we have an Austrian researcher here in Canada doing
fascinating work in the area of how western academic institutions
are good at churning out graduates who have all manner of credentials,
but are not necessarily good at developing higher order thinking skills
in their "victims" (I won't name the institution since it is also a
rinky dink online school that fleeces undergrad students with programs
of questionable quality content to help fund said research and I don't
want to negatively impact the reputation of their work). I would indeed
expect your trust to be based on quality of output...I'd be concerned
with you too if you worked on OpenBSD and blindly let pieces of paper
sway your opinion of someone's ability.

> Apart from that, the media and methods that help people to learn differ
> from person to person, but regarding the topics of this particular
> course, it looks like you get about the same range of topics, and
> maybe even more, in any case for significantly less money, from buying
> Dowd/McDonald/Schuh, "The Art of Software Security Assessment" and
> studying that, and then applying it to a real code base. Of course,
> you will need *lots* of practical experience in addition, which
> you can neither get from taking a course nor from reading a book,
> but only from practical work.

If this course covering unique research being done at Carnegie Mellon is
roughly equivalent to your 1200 page tome on security but specifically
applied to C and C++, I will take that as an endorsement. Could you also
identify a course or training that covers the material from
Dowd/McDonald/Schuh and has maybe a sandbox for exercises and provides
evaluations to assist with mastering the content? If so, I'd consider
it. It does not need to be paid for training; the best quality Unix
programming related resource I've been able to find thus far is a grad
level course that the instructor has made materials freely available for
and put his lectures on youtube.

If you come from a country where the state pays for your University
education, I can understand why you might spend less time considering
the social implications of how learning happens. We are 2022 now, a lot
of learning is going to take place online from here on out thanks to the
pandemic. The learning science community had already well established
that the best and most inclusive learning is not necessarily
happening at industrial era style classrooms in brick and mortar
institutions and that a multimedia platform is an option capable of providing
better skills mastery, so it is good this is happening. Universities are
also freaking expensive in North America so that 40% of students are
dropping out for financial reasons. Thank {God,Jesus,Yahweh,Allah,Gaia,
The Flying Spaghetti Monster} that places like MIT's Open Learning
department are making so much quality content freely available.

>Mid-level is a rather fuzzy term, but some might say these topics are
>good to get acquainted with even for beginners, and yet a mid-level
>programmer seems unlikely to master them.

Mid-level is meant to be generic and apply to a wide range of people
who might be interested. In my specific case, I am operating at the
system administrator level: I won't be architect-ing anything with my
current skill-set, but I can write scripts and trivial programs and with
a bit of effort can read and understand code in a larger system written
by others (I also recognize your dirty laundry if it's there). I am
thoroughly excited about the prospect of taking the time and effort
to master these skills.

>Yours,
> Ingo

Sincerely, thank you Ingo for providing your opinion and being
honest about your personal biases. That is invaluable help while
navigating a new and uncertain education landscape. Now if we could just
get more of the general public off Facebook and TikTok and using the
internet as the research and communication tool it started out as,
maybe we'd have a fighting chance at cleaning up some of this shitshow
that is modern profit driven commercial/corporate technology. I am so
freaking glad that projects like this exist. Thank you!!!

Kindest Regards,

Jason


Jason Kinney
Ethical Technologist
Surrey, BC, Canada
jkinney23@yahoo.ca

No comments:

Post a Comment