Do we know how to teach secure programming to K-12 students and end-user programmers?

I wrote my CACM Blog post this month on the terrific discussion that Shriram started in my recent post inspired by Annette Vee’s book (see original post here), “The ethical responsibilities of the student or end-user programmer.” I asked several others, besides the participants in the comment thread, about what responsibility they thought students and end-user programmers bore for their code.

One more issue to consider, which is more computing education-specific than the general issue in the CACM Blog. If we decided that K-12 students and end-user programmers need to know how to write secure programs, could we? Do we know how? We could tell students, “You’re responsible,” but that alone doesn’t do any good.

Simply teaching about security is unlikely to do much good. I wrote a blog post back in 2013 about the failings of financial literacy education (see post here) which is still useful to me when thinking about computing education. We can teach people not to make mistakes, or we can try to make it impossible to make mistakes. The latter tends to be more effective and cheaper than the former.

What would it take to get students to use best practices for writing secure programs and to test their programs for security vulnerabilities? In other words, how could you change the practice of K-12 student programmers and end-user programmers? This is a much harder problem than setting a learning objective like “Students should be able to sum all the elements in an array.” Security is a meta-learning objective. It’s about changing practice in all aspects of other learning objectives.

What it would take to get CS teachers to teach to improve security practices? Consider for example an idea generally accepted to be good practice: We could teach students to write and use unit tests. Will they when not required to? Will they write good unit tests and understand why they’re good? In most introductory courses for CS majors, students don’t write unit tests. That’s not because it’s not a good idea. It’s because we can’t convince all the CS teachers that it’s a good idea, so they don’t require it. How much harder will it be to teach K-12 CS teachers (or even science or mathematics teachers who might be integrating CS) to use unit tests — or to teach secure programming practices?

I have often wondered: Why don’t introductory students use debuggers, or use visualization tools effectively (see Juha Sorva’s excellent dissertation for a description of how student use visualizers)? My hypothesis is that debuggers and visualizers presume that the user has an adequate mental model of the notional machine. The debugging options Step In or Step Over only make sense if you have some understanding of what a function or method call does. If you don’t, then those options are completely foreign to you. You don’t use something that you don’t understand, at least, not when your goal is to develop your understanding.

Secure programming is similar. You can only write secure programs when you can envision alternative worlds where users type the wrong input, or are explicitly trying to break your program, or worse, are trying to do harm to your users (what security people sometimes call adversarial thinking). Most K-12 and end-user programmers are just trying to get their programs work in a perfect world. They simply don’t have a model of the world where any of those other things can happen. Writing secure programs is a meta-objective, and I don’t think we know how to achieve it for programmers other than professional software developers.

January 14, 2019 at 7:00 am 13 comments

A little bit of computing goes a long way, and not everyone needs software engineering: The SIGCSE 50th Anniversary issue of ACM Inroads

This year is the 50th SIGCSE Technical Symposium, and Jane Prey was guest editor for a special issue of ACM Inroads on 50 years of ACM SIGCSE. You can see the current issue here, but yes, it’s behind a paywall — ACM Inroads is meant to be a membership benefit.

I’m really fascinated by this issue. Sally Fincher does a nice job telling the story of ICER. I enjoyed Susan Rodgers’ and Valerie Barr’s reflections. I’m still trying to understand all of Zach Dodds’ references in his SIGCSE 2065 future-retrospective. I found some of the articles frustrating and disagreed with some of the claims (e.g., I don’t think it’s true that AP CS enrollments plummeted after introducing Java), but discussion can be good for the community.

I was asked to write a piece about What we care about now, and what we’ll care about in the future. My bottom line is a claim that John Maloney (of Squeak, Scratch, and GP fame) reminded me is a favorite phrase of the great Logo (and many other things) designer, Brian Silverman: A little bit of computing goes a long way.

The important part of Scratch is that computationalists find value in it, i.e., that they can make something that they care about in Scratch. What we see in Scratch is the same process we see among the computationalists in computational photography, journalism, and science. They don’t need all of computer science. They can find value and make something useful with just some parts of computing. Scratch projects smell wonderful to Scratch computationalists.

There’s been a thread on Twitter recently about the use of software engineering principles to critique Scratch projects (see the thread starting here). Researchers in software engineering claim that Scratch code “smells,” e.g., has bad practices associated with it. There’s even a website that will analyze your Scratch project in terms of these software engineering practices, DrScratch.  The website claims that it is measuring computational thinking skills — I see no evidence of that at all.

These software engineering researchers are misunderstanding users and genres of programming. They ought to read Turkle and Papert’s Epistemological Pluralism and the Revaluation of the Concrete. People code for different purposes, with different ways of appropriating code. The standards of the software engineer are not appropriate to apply to children. Not everybody is going to be a professional software developer, and they don’t need to be.

Increasingly, people are only going to use parts of computer science, and they will achieve fluency in those. That’s a wonderful and powerful thing. A little bit of computing goes a long way.

January 7, 2019 at 7:00 am 25 comments

Do we want STEM education or do we want STEM learning?

I’ve mentioned a couple times that I’m working on using programming in teaching social sciences.  The goal is to teach STEM concepts (e.g., modeling, simulation, using graphical representations like charts, thinking about bias/skew and missing variables in big data, etc.), but in non-STEM subjects.  I argue that the “non-STEM subjects” part is key if you want diversity, if you want to draw in people who aren’t naturally going to show up in STEM classes.
I bounced this off an NSF program officer, and I got a pretty strong: “No.”  I’ll quote part of the response here.
While this is an intriguing idea, no, it would not be fundable in the XXX program as it does not involve the engagement of STEM faculty or their courses, assessments, or materials, or STEM majors.  (All of these are not necessary, but STEM is necessary, not just STEM learning.)
XXX is not just about improving or supporting STEM learning.  It is about improving STEM education.
There’s a distinction being drawn here between “STEM learning” and “STEM education.”  It’s an interesting and important distinction. I’m not at all saying that the officer is wrong.  This program officer is saying (paraphrasing), “It’s not just about learning STEM concepts. It’s about supporting the infrastructure and mechanisms through which we teach STEM.” (By the way, since this exchange, I’ve found other NSF officers in other programs that are more focused on STEM learning not just STEM education.)
That’s a fair concern. We do need STEM classes, curricula, assessments, and faculty. But if we really care about interdisciplinarity and broadening participation, we need to care about more than that.  We need to fund efforts to integrate STEM learning and use STEM thinking (e.g., Bacon’s Novum Organum) across the curriculum, to influence how we think about everything. We also need the infrastructure to support the institution of STEM education. The challenge is doing both.
There is an obvious connection to computing education.  We need more computer science teachers, curricula, tools, and classes. But we also need more students learning about computing, which might happen more inexpensively in mathematics, science, and social science classes. How do we prioritize?

December 21, 2018 at 3:39 pm 2 comments

What is programming-as-literacy, what does it look like, and what should we worry about? Alan Kay in Scientific American

Last month, I wrote a blog post about programming as a kind of literacy. I got some pushback.  Really? Literacy?  That programming in C stuff?  Well, no, programming in C is not what I mean by a form of literacy.  I recommended looking at some of what Alan Kay had written in Scientific American.

I decided to do that for myself.

Alan’s first article for Scientific American was in 1977, “Microelectronics and the Personal Computer,”  about the idea of a personal computer and the explorations they were doing at Xerox PARC with Smalltalk. I liked this one a lot because it emphasizes simulations “the central property of computing.”

The second was in 1984, “Computer Software.” Here’s where he defines literacy with the computer. It’s way more than just programming.

Alan_Kay_-_Computer_Software_SciAm_Sept_84

The third was in 1991, “Computers, Networks and Education.” This is the one where Alan really questioned whether things with computing were going in the right direction. For example, he worried about how people thought about “literacy” on the computer.

sci_amer_article-literacy-as-burden

He returned to the importance of simulation.

sci_amer_article-value-of-computing-is-simulation

And he was worried about people being critical of information that they find on the Internet (note that this is 1991, before Web browsers).

sci_amer_article-networked-computers

But in the end, Alan was hopeful, that we might develop a skeptical attitude with computing.

sci_amer_article-simulation

December 17, 2018 at 7:00 am 3 comments

Computational thinking abstracts too far from the computer: We should teach CS with inquiry

Judy Robertson has a blog post that I really enjoyed: What Children Want to Know About Computers. She argues that computational thinking has abstracted too far away from what students really want to know about, the machine.

Computational thinking has been a hugely successful idea and is now taught at school in many countries across the world. Although I welcome the positioning of computer science as a respectable, influential intellectual discipline, in my view computational thinking has abstracted us too far away from the heart of computation – the machine. The world would be a tedious place if we had to do all our computational thinking ourselves; that’s why we invented computers in the first place. Yet, the new school curricula across the world have lost focus on hardware and how code executes on it.

Her post includes pictures drawn by children about what they think is going on inside of the computer.  They’re interested in these things!  We should teach them about it.  One of the strongest findings in modern science education is that inquiry works. Students learn science well if it’s based in the things that they want to know. Judy argues that kids want to know about the computer and how code executes on the computer. We shouldn’t be abstracting away from that. We should be teaching what the kids most want to learn.

To be clear, I am not criticizing the children, who were curious, interested and made perfectly reasonable inferences based on the facts they picked up in their everyday lives. But I think that computer science educators can do better here. Our discipline is built upon the remarkable fact that we can write instructions in a representation which makes sense to humans and then automatically translate them into an equivalent representation which can be followed by a machine dumbly switching electrical pulses on and off. Children are not going to be able to figure that out for themselves by dissecting old computers or by making the Scratch cat dance. We need to get better at explicitly explaining this in interesting ways.

December 10, 2018 at 7:00 am 3 comments

Maybe there’s more than one kind of Computational Thinking, but that makes research difficult

Shuchi Grover has a nice post in Blog@CACM where she suggests that there is more than one kind of Computational Thinking, which tries to resolve some of the concerns about the term (some of which I discussed here):

It’s also clear to me that in order to help make better sense of CT, we must acknowledge and distinguish two views of CT for K-12 education that are defined and operationalized based on the context for teaching/learning/application. One is a view of CT as a thinking skill for CS classrooms, that includes programming and other CS practices with the goal of highlighting authentic disciplinary practices and higher-order thinking skills used in computer science. The other is CT as a thinking skill/problem-solving approach in non-CS settings—this is often about using programming to automate abstractions of phenomena in other domains or work with data with the goal of better understanding phenomena (including making predictions and understanding potential consequences of actions), innovating with computational representations, designing solutions that leverage computational power/tools, and engaging in sense making around data.

She says that their are two “views” of CT, but she does distinguish Wing’s original definition which most people don’t buy. So, it seems like there are three.  (Kudos to Shuchi for pointing out that Seymour Papert actually uses the phrase “computational thinking” in Chapter 8 of Mindstorms — so cool!)

But I’m still wondering: Why do we have to call all of these things “computational thinking”?  I get that there’s a lot of energy around the term, but it’s an overloaded term.  Think about it from the perspective of any other science.  If you discovered that a species of animal or bacteria you were studying was actually two species, you’d name them differently.  In the 19th century, physicists thought that light traveled through a “luminiferous aether,” but now, nobody uses that term because we realized that such a thing didn’t exist. Maybe we as scientists should invent some new and more accurate terms instead of overloaded and confusing “computational thinking”?  If we’re using “computational thinking” because it has marketing cachet with teachers and principals (even if the term isn’t useful to researchers), that makes it hard to have a science around computing education.  Do we write about CT Type-1 vs CT Type-2?

December 7, 2018 at 7:00 am 17 comments

MicroBlocks Joins Conservancy #CSEdWeek

This is great news for fans of GP and John Maloney’s many cool projects. MicroBlocks is a form of GP. This means that GP can be funded through contributions to the Conservancy.

We’re proud to announce that we’re bringing MicroBlocks into the Conservancy as our newest member project. MicroBlocks provides a quick way for new programmers to jump right in using “blocks” to make toys or tools. People have been proclaiming that IoT is the future for almost a decade, so we’re very pleased to be able to support a human-friendly project that makes it really easy to get started building embedded stuff. Curious? Check out a few of the neat things people have already built with MicroBlocks.

MicroBlocks is the next in a long line of open projects for beginners or “casual programmers” lead by John Maloney, one of the creators of Squeak (also a Conservancy project!) and a longtime Scratch contributor. MicroBlocks is a new programming language that runs right inside microcontroller boards such as the micro:bit, the NodeMCU and many Arduino boards. The versatility and interactivity of MicroBlocks helps users build their own custom tools for everything from wearables to model rockets or custom measuring devices and funky synthesizers.

Source: MicroBlocks Joins Conservancy

December 5, 2018 at 7:00 am Leave a comment

Older Posts


Enter your email address to follow this blog and receive notifications of new posts by email.

Join 4,376 other followers

Feeds

Recent Posts

Blog Stats

  • 1,596,405 hits
January 2019
M T W T F S S
« Dec    
 123456
78910111213
14151617181920
21222324252627
28293031  

CS Teaching Tips