Defense Against the Dark Arts is Oregon State’s course in computer security. If the title rings a bell, it’s because it’s also the name of the magical defense class that Harry Potter and his classmates took at Hogwarts. Having a playful name, (especially in comparison to “Assembly,” “Networks,” “Algorithms,” etc.) made me think that the course would be playful too, but I was mistaken.
This course ended up being one of my least favorites of the entire program. Unfortunately I didn’t have much of a choice. I enrolled in the course without any other realistic option – it was the only elective offered this term, so in lieu of postponing my graduation, this was my only choice.
The content of the course is delivered via weekly lectures. The lectures themselves are recordings of talks presented by industry professionals from Intel and McAfee. There is approximately two or three hours of content to watch each week.
There’s good and bad here. On the good side, I found the presenters engaging and knowledgeable. They told interesting stories and shared what I believe to be valuable information. On the bad side, however, the lectures are much, much longer than necessary. Since they’re recorded in a classroom full of students, there are lots of questions, interjections, and jokes, and as the saying goes, “you had to be there.” It seems like some of these have been edited out, but my point still stands.
The worst part of the lectures, in my opinion, is their age. It doesn’t really bother me if a lecture on the basics of C++, or algorithms, or Assembly are dated since those subjects don’t change much year to year. But computer security? This field is constantly changing, which left me wondering: “What are we missing?”
I can appreciate that inviting engaging speakers and recording lectures is a difficult and time-intensive enterprise. One way that I think Oregon State could manage this challenge is to communicate to students the general schedule on which their lectures will be refreshed. This would show students that the computer science department is planning ahead rather than just waiting for their lectures to become embarrassingly outdated before updating them.
I didn’t do any advance preparation for this course, nor did I find it necessary.
There are several labs. I found running them via the provided virtual machine to be time-consuming and cumbersome. A friend who’d taken the course previously recommended time-boxing the labs and then just writing up what I was able to complete. I used this strategy for several labs and was never docked points.
The assignments that didn’t require a virtual machine were much better. In one we were asked to write a script which flagged suspicious URLs. I love this sort of exercise because it gives you a chance to see how good your script can become, which is a nice contrast to the usual programming exercises which either work or don’t.
Another assignment (which took the place of a final exam) required solving challenges on Hack The Box. These were also great and I wish that they were incorporated earlier in the class.
Finally, each week of lectures requires a corresponding blog post about what was learned during the lectures. I’m a big advocate of making learning visible, and so I think this was a valuable part of the course. You can see my posts here.
There were no formal exams in the course, which also meant no ProctorU. Hooray!
When analyzing a piece of malware I occasionally found it helpful to take its hash and search it online. This usually directed me to McAfee’s site which had a listing for that particular malware.
Difficulty and Time Commitment
This class was easy and a relatively light time-commitment. I spent approximately 40 hours over the course of the term, which works out to an average of 4 hours per week. The two final weeks were especially light, since the lectures were combined into one unit and the final assignment could be completed early.
What I Liked and What I’d Do Differently
I didn’t care much for this class for the reasons I outlined above. Briefly, the lectures felt slow and outdated, I didn’t like using the buggy virtual machines, and with the exceptions outlined above, the assignments were uninteresting.
Perhaps the greatest indictment I can level against the class, though, is that I feel no more versed in computer security now than when I started. Yes, I know some new terminology, and I watched a lot of lectures and wrote some blog posts, but there’s a big difference between listening and doing. This class lacked doing. Then again, perhaps it was my fault. The instructor says at the beginning that we should expect to get out of the class what we put in. I’m just not sure what else I ought to have done.
All of that said, this class did have one major thing going for it: arranging for the instruction to be done by people working in the industry. Now if they could just update those lectures.