Episode: 4164 Title: HPR4164: Postgraduate Computing Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr4164/hpr4164.mp3 Transcribed: 2025-10-25 20:36:08 --- This is Hacker Public Radio Episode 4164 for Thursday the 18th of July 2024. Today's show is entitled POSP Graduate Computing. It is hosted by Lee and is about 11 minutes long. It carries a clean flag. The summary is studying for a Master's in Computing with the Open University. My name is Lee and today I'll talk about a postgraduate Master's in Computing which I've been studying towards over the last few years. This qualification could be studied for with quite a few different universities in the United Kingdom. I'll be talking about the programme that's offered by the Open University and focusing on the particular modules that I've taken myself. While the modules I took did not have specific entry requirements, I noted the recommendation that students weaver have previously studied the graduate level or have an equivalent level of industry experience. I studied one module at a time with each one recommending about 10 hours study per week. Just a little about the institution itself. While there is a campus in the city of Milton Keynes in Buckinghamshire, England, unlike my stuffy universities, this university has always been primarily for distant study long before the days of the internet, covid and video calls. Daniel Weinbrunt describes in his book The Open University History how the then-primince to Harold Wilson in 1963 set out plans for a University of the Air which was eventually realised and gained a royal charter in 1969. I remember as a child in the 1980s and 1990s watching the television broadcasts they put out on the BBC in the early hours of the morning which supplemented the other study material students were sent in the post. A decade or so ago my mother, who in her youth after passing the 11-plus selection exam yet not being able to go to a grammar school and having left school with only a handful of O level qualifications, studied for and obtained a Bachelor of Arts degree in her retirement through the Open University. While studying by correspondence can feel quite solitary on each of the modules there was a form of students and some of the modules also had collaborative activities. The first module of the Master's Eye studied was information security. Studying this it helps if it can be related to an actual organisation the student has some first-hand knowledge of and that was pretty much a requirement for the assignments which sent it around developing a hypothetical information security management system that would suit the organisation in question. The first lesson was that security is not static but a moving target and for an organisation to be secure its processes must evolve over time. The International Standard ISO 27000 outlines the various things that an information security management system should include. We were taught how to categorise and prioritise critical information assets to think about the need to incorporate security within company policies with designated roles and people with accountability. Different types and levels of risk need to be treated appropriately, applying whatever controls are necessary and there should be ways of ensuring compliance. One way of looking at information risk is to list the asset, the access, the actor, the motive and the outcome. So an asset might be identity documents such as a scanned passport, the access might be physical access to the computer with the files or instead via the network, the actor who might compromise security could be inside such as an employee or outside such as a hacker. The motive or circumstance for these files to be accessed could be either deliberate or accidental and finally the likely outcomes might be disclosure of sensitive information or loss or destruction of that information. There are different ways of quantifying risk, but in its most simple form it involves multiplying the probability of the event happening by some measure of the impact if it did happen and this might be in monetary or other terms. As well as the broad concepts mentioned we also looked at some specific information security tools. One of these was Nessus available from tenable.com which scans a PC for vulnerabilities and lists these with a score of critical high medium low or for info only. Compliance is an area I was already familiar with from having to get a client's web server to pass quarterly scans because it processes cardholder details. The module concluded within assignment requiring some independent research into a chosen security topic. I chose Halipots which a device is that detect intrusion onto a network by making themselves deliberately visible and easy to hack and two of the three papers are reviewed for this assignment were about using Raspberry Pi's as Halipots. Just one note about this level of study which I discovered to my disadvantage in completing the assignment is that students are expected to make use of specific academic skills and present findings in an expected format and if this is not adhered to closely it does not matter how technically good the work is it won't get high marks. The next module was system security this one I felt right at home with because it had a fairly technical bias. I also enjoyed it because a lot of the activities were collaborative presenting system models to others and reviewing Ness. The material studied was quite diverse including different types of cryptography and access controls using the CVE security vulnerability database hardening a Linux installation modeling systems with data flow and activity diagrams and the application of ethics with respect to governments weaponizing security exploits. The key learning of the module is that any security threat relates to one or more of the following first spoofing that is pretending to be not who or what someone seems second tampering that is changing data thirdly repudiation that is doing something then saying that it didn't happen. For free information disclosure are leaking some data then fifth denial of service so stopping system from working and finally sixth elevation of privilege that is using some limited access to wrongfully gain more access. These form the acronym STRIGHT which is attributed to confelda and garg in 1999. System security was my favourite module and I scored a distinction for it and while I did subsequently fail miserably to describe how to secure a modern web based system we're asked as part of an interview for a job working for the bridge government answering a similar question on reddit we're not under interview pressure attracted well over 100 upvotes. The third module was network security and this was heavily biased towards Cisco with capital C and there was a lot of work typing commands into virtual iOS devices that is iOS in all capitals as in internet work operating system are not the little wide bigger OS made by Apple. Apart from mundane stuff like doing networking things at different layers of the OSI model implementing access controls and Cisco devices network routing and the somewhat complicated task of setting up a VPN. The module also covered how companies secure devices like mobile phones and laptops when employees bring their own stuff into a company network. The final assignment included a neat task in Carly Linux forensically examining the results of a pretend exploit using tools like Wyshark to make sense of the logs and then document what had happened and how. The next module was software development here I got my hands dirty with the monstrosity that is an enterprise Java database application with a web based interface at an API endpoint and they still have scars from dependency resolution and configuration of database drivers. The module mainly covered object or programming and especially the drawing of class diagrams the concept of design patterns and using a test framework. Out of some sense of rebelliousness that the aforementioned are front to my sanity I blatantly used one of the assignments as an excuse to learn both Spring Boot and Angular even though neither of those was mandated in the assignment brief. The module ended with a research and review assignment of papers on a chosen topic and I chose a topic of security and open source software. In the context of using automated tools rather than code review to detect security issues in code I even managed to sneak in a reference to chest legend Gary Casper of famously beaten by Deep Blue about what computers are good at and what they are not. Although had it been a year later advances in large language models might have nullified this point. The most recent module I studied was software engineering. While covering several topics such as software quality, productivity, the place of open source, the agile methodology and again ethics, the primary topic was requirements engineering. The main message is you can't make a sandwich until you know the preferences and dietary requirements of your client. The likely costs of tools and materials such as a knife, cheese and butter, the likely time it will take, the consequences if you could only get as far as buttering the bread and needed to call in a cheese specialist to complete the job and the need for these requirements to be signed off with all stakeholders involved, especially the client's mum. For anyone facing such dilemmas the set text was mastering the requirements process by Robertson and Robertson. The main case study on this module centered around a fictional ticketing system for the Olympics this year. The collaborative activity involved collaborating with dozen or so other students on a GitHub repository hosting requirements documents for this system. With every single person having full read and write access this did get a bit chaotic and some of the blame for that rest of my shoulders, as are more than once used features of Git that weren't taught in the module and aren't generally sanctioned such as rebasing then force pushing to a shared repo. Unlike the other modules this one ended with an exam, this was open book but required application of principles taught in the course to a newly presented case study. The final module not yet taken is called Research and Context. I plan to study this later this year. It will be about the process of academic research and primarily involves conducting some research on a chosen topic. I have that to look forward to. So today I've talked about several postgraduate modules offered by the Open University that can be combined into a master's qualification. Other universities were other modules and there were some I could have taken but opted not to such as data management and digital forensics. This route of study is not for everyone, they're financial and time pressures. Some of what is learned may be abstract or literally only of academic use rather than of direct vocational relevance. Maybe qualification is not important to everyone and there are arguably now more varied avenues for carrying out substantial learning than they were in the past that do not include the university. However, there are good reasons why some people do benefit from studying in this way. Many have and perhaps more would give the opportunity. In any case I hope this has been of interest and thanks for listening. You have been listening to Hacker Public Radio at Hacker Public Radio does work. Today's show was contributed by a HBR listener like yourself. If you ever thought of recording podcast, click on our contribute link to find out how easy it really is. Hosting for HBR has been kindly provided by an honesthost.com, the internet archive and our syncs.net. On the Sadois status, today's show is released under Creative Commons, Attribution 4.0 International License.