Hacker News new | past | comments | ask | show | jobs | submit login
Georgia Tech Creates Cybersecurity Master’s Degree Online for Less Than $10k (gatech.edu)
374 points by electriclove 7 months ago | hide | past | web | favorite | 281 comments

While these degrees are interesting, they still have the same entrance requirements as on-campus programs (transcripts, references, undergrad degree). This is a shame bc there are many people, especially in software engineering, who have the skills yet lack adequate proof of those skills.

I'd love if there were a CS masters that either let you apply directly or complete a specification to get automatic admission. Perhaps after completing foundational courses with a B average. That would greatly increase access and should be sufficient to weed out unprepared candidates.

I was accepted into the Georgia Tech CS masters program without any formal education in CS. I have significant practical work experience though. If you don't have an undergrad degree at all, I'm not sure a master's degree is appropriate? If you don't want to get an undergrad degree, at this point in time that has some logic to it, but you are committing to a path where you will not be getting formal degrees. There are things like Coursera specializations that can provide training and some level of certification.

>If you don't have an undergrad degree at all, I'm not sure a master's degree is appropriate?

Why shouldn't it be? I don't see why 3 years worth of miscellaneous classes and 1 year worth of classes toward a major (not even necessarily in computer science) should be a prerequisite for a cybersecurity program, or for any masters program for that matter. It just seems like another part of the false mythology of undergraduate education. And I'm sure the people running these credential rackets realize that allowing students to cut to the point would put an end to their gravy train.

Even the name of the degree, masters, implies that this is for mastering that subject. I personally take that as a hint that (in general) you should already be intimately acquainted to it before mastering it.

Those years for the bachelor don't just prove you learned some random subjects. They also show that you deliver - you have a topic, you study it, you pass the exam.

The reason you say "I don't need that" is because you have to pay a crapload of money for those 3 years with a dubious ROI. It's a credential racket because they charge you through your nose. And it's cheaper now because online is cheaper. But it's unrealistic to assume you get the same quality for less money, it would sink their normal masters business right? Lots of things are debatable here especially if you dig into the exceptions but generally it might be the difference between takeout/fast food and a good restaurant.

When I see people skipping some degrees and going for the online ones they have to show some damn good practical achievements to convince me that was time worth saving.

I'm pretty sure most of you would refuse to go to a doctor who studied online. Cyber-security can easily turn out to be life or death.

If you are mid-30s with 100+ semester credits done in your Bachelor's Degree, but can't go back to finish it because many of the credits have expired, the idea that you'd have to re-finish the degree just to sit for a Master's Degree when you turn 40 is ridiculous.

Plenty of people have been admitted to MS programs without a BS/BA when they prove why they're the exception. Serious private sector work fills in the gaps easily. MBA programs are no different.

> If you are mid-30s [...]

That's an oddly specific case. But as I said, digging into the exceptions will always find something to support any point of view. I'm looking at the overall situation. In most cases the degree can be compensated with work experience.

> Plenty of people have been admitted to MS programs without a BS/BA [...]

This of course is entirely up to the program. Most PhD programs require both, some require only one. What I said is that I (personally) see this as a natural progression. Skipping one will have to come with a damn good reason attached. Like exceptional performance otherwise.

> MBA programs are no different.

Again, personal opinion, I trust the MBA program the least of all. I have seen so many people (including a lot of colleagues) dish out several (tens of) thousands of Euros to get an MBA while still in their 20s, with only some mediocre team-leader over 4-5 people for 2 years experience behind them that I simply cannot put any kind of weight in that achievement.

I think that the case you're describing is the exact reason this requirement is important. Lacking credits in an undergraduate degree is a red flag -- why are you missing them? Why didn't you go back and make them up? If you're serious about a formal education, the lack of a few credits shouldn't hold you back.

In my case, I took a full-time job overseas between my JR and SR year making 100k+ in the field I wanted to study. It was an easy answer for my admissions officer who then recommended I be admitted to a MS program.

There's a lot of reasons why you wouldn't finish a degree that are valid. Have you considered asking rather than assuming? What if someone had serious depression or social anxiety? You're making a lot of assumptions on being "serious" and it's honestly pretty naive and silly, borderline offensive, and very common in academia.

> why are you missing them? Why didn't you go back and make them up?

Pretty sure that's asking, and if you find that _borderline offensive_ then you probably need a little bit thicker skin. If you're applying for a top-tier institution, they are going to look for red flags in your transcript, and not finishing your education, no matter the reason, is a red flag that needs to at least be explored. They aren't going to simply _assume_ you had some legitimate excuse for not finishing because many people don't.

I don't think it's fair for you to call it naive and silly for someone to understand your background. No one is saying that your serious depression or social anxiety isn't a legitimate reason, but it's also something that has to be considered. Academic institutions have a graduation rate to protect, and they aren't keen on letting someone in that is a risk to drop out after a couple of semesters -- no matter the reason.

If depression or social anxiety are holding you back in your life that much, it's time to seek help, by the way. As someone who has experienced the same, that is a really good indication that it has gone past a simple mood thing into a serious medical condition.

Best of luck.

If you are mid-30s then you will have no problem getting into these courses just based on your work experience.

But it's unrealistic to assume you get the same quality for less money, it would sink their normal masters business right?

How does that logically follow? Different people have different learning styles and are at different points in their lives and careers. The rigour of the material is orthogonal to the channel of delivery

Yes... one style involves a bucket of money, years spent physically going to the classroom, having to live far from home and pay additional money, and more. The other style involves paying half or a quarter of that, doing it from the comfort of wherever you choose, while holding a job... and getting the exact same level of quality?

You're saying that there's no clear benefit for the first option other than personal "learning style"? How does that fare when going head to head with the extremely obvious and objective advantages of the online option? There's always a compromise and if you gain flexibility and money something's gotta give elsewhere.

You're making a huge confusion if you think an online masters is just a channel of delivery for some material. A (good) classic masters is more than the professor handing out the material personally instead of emailing it to you (which they do anyway).

Exactly as you said, online is the option you choose when you no longer afford (time/money) the other one. It's for when you need to tick a box on an application. Otherwise you can easily skip it and substitute with your experience.

As a person with a bachelor, 2 masters, almost a PhD (:D), and a whole host of online courses and degrees I can tell you there's a world of difference between the two types of experience. So I treat those degrees with the corresponding level of respect. And please mind you, I said the degrees, not the degree holders.

Masters degrees in particular vary a huge amount. When I got one of mine (in engineering but not CS), it was a couple of years including writing a thesis which included significant original research. Yet I know people, including from top-tier schools, whose Masters was a 1 year program of mostly just classroom.

And both of them were probably more interactive and educational than a standard online masters.

I'm not saying that online=bad. But a good classic masters program will invariably be better than a good online masters program. Of course if something's already not up to par (classic or online) it becomes irrelevant by how much it fails.

You seem predisposed to conclude that degrees are merely signaling devices, and if you believe that about undergraduate degrees then you should also believe that about masters degrees and should avoid this program.

But if you believe that masters degrees have value beyond signaling, then the thinking is that a formal multi-year undergraduate course of study that ensures a minimum knowledge core on a topic will better prepare you for a formal multi-year graduate course of study on that topic than simply working in the field and acquiring a random assortment of specific skills based on what you needed on the jobs that you took.

A few points:

* Even to the extent that degrees are just signaling devices, they are still useful because many people with power over your career care a lot about those signals.

* If you choose a useful major, that one-years-worth of your undergraduate education certainly has utilitarian value in preparing you for a related career or for further instruction.

* The other three-years-worth of courses may make you more worldly and well-rounded, but their instructional value is nowhere near the $150,000 you'll pay for them at a private university.

>the thinking is that a formal multi-year undergraduate course of study that ensures a minimum knowledge core on a topic will better prepare you for a formal multi-year graduate course of study on that topic than simply working in the field and acquiring a random assortment of specific skills based on what you needed on the jobs that you took.

* Yes, of course, but this only applies to the quarter of the undergraduate courses that are actually relevant. It doesn’t explain why should you need three years worth of courses in underwater basketweaving or gender studies as a prerequisite to a masters in cybersecurity.

Fair point. I actually have an undergrad degree. I'm mostly arguing that as we have straightforward ways of addressing knowledge and ability via courses online (at a low cost to institutions), then admittance should be based on that ability rather than potentially dated proxies (college grades).

I don't have an undergraduate degree in CS or engineering and was accepted with about 5 years of software development experience.

If you're saying that you think people should be able to attend a graduate degree program without an undergraduate degree, then that doesn't really make a whole lot of sense to me. There is a long established precedent that (formal, possibly legal requirements, too?) you must have an undergraduate degree to take the next step in your education.

You either want the formal education or don't -- if you do, then you have to meet the pretty standard requirements.

I have a diploma in CS, but not a bachelors degree, but 10+ years of practical engineering experience. I'd love to work towards a masters in CS, but most online schools don't accept my diploma and work experience as equivalent. I attempted to apply for a GT online masters and was soundly rejected without consideration.

There are always ways around, and candidates that should be considered based on potential. But some kind of a qualifier, even a certificate, that would allow candidates like myself that would love to be engaged through some kind of qualifier or conditional acceptance would allow more people to get engaged and show their ability and commitment to being successful.

What about WGU?

There have definitely been a number of students admitted to the GT's OMSCS program who didn't have an engineering undergraduate degree. Not sure though what are the stats of students without any bachelor's degree at all...

There is a requirement to complete a few foundational courses after you enroll but you still need to be accepted first.

where have you read this?

Some of those without an engineering undergrad degree were my classmates.

The vast majority of universities consider a master's degree to be a post-graduate degree so they'll require an bachelor's degree to enter it. There are plenty of cyber security courses either at undergraduate level or outside of the university system altogether.

Once you get to a reasonable level of career experience, college is not beneficial for your bottom line. At least that's been my experience.

I think this varies greatly by industry (maybe what I'm talking about is 20 years outdated). I know quite a few boomers who worked on their Masters / PhD while raising kids and working. From what I've been told it's because their careers were limited by their existing level of education. For example, most K-12 teachers get a pay boost by completing their Masters.

My career is software dev adjacent and I haven't seen college being a limiting factor.

Do you mean undergrad or masters?

I would assume both. That's my experience.

Sounds like you want something similar to WGU, although specifically for CS they don't meet your requirements because they only have a BS degree program.




University of Oxford Master’s in Software Engineering

... However, more extensive experience may compensate for a lack of formal qualifications, and a strong, immediately-relevant qualification may compensate for a lack of professional experience.

You're advocating for admission to a graduate program without an undergraduate degree. It doesn't and shouldn't work that way. Possession of a masters degree indicates you have completed a prescribed course of study.

> You're advocating for admission to a graduate program without an undergraduate degree. It doesn't and shouldn't work that way.

There are BS/MS, BA/MA, BBA/MBA, and BSL/JD programs (asking others) that do not require a prior undergraduate degree but instead incorporate a same-field undergrad degree into the graduate out professional program, with typically less total coursework and tone in residence than separate programs would require because of right integration.

> Possession of a masters degree indicates you have completed a prescribed course of study.

Yes, but there's no reason that a bachelor's degree needs to be an admission requirements for that to work; it may be a completion requirement, but that doesn't mean it needs to be an admission requirement.

Yes, I should have chosen the word "completion" rather than "admission".

The comment I was replying to was saying, in effect, "I want to be able to earn a graduate degree without having to earn an undergraduate degree".

Those programs sound great. They would allow a person to EARN both the graduate degree and the underlying undergrad.

> The comment I was replying to was saying, in effect, "I want to be able to earn a graduate degree without having to earn an undergraduate degree".

That comment specifically complained about entrance requirements, so, no, I don't think that is a fair characterization.

True, but the end goal is certainly not simply Entering the program, but completing the program and obtaining a graduate degree.

I highly doubt that the motivation behind that comment is a desire to audit a masters program.

Is it a "Master's Degree" or is it an "Online Master's Degree" because they keep saying online, and OMS instead of MS, etc.

I suspect that will be stigmatic, or is already.

If that is the case, then why waste $10K on a degree that is no more valuable than "self taught"?

Is an OMS from Georgia Tech more convincing than "I read some books and here's a good portfolio of personal projects" ? It's a hard sell.

You're paying for certification, acceptably proving you've learned what an accredited institution expects you to learn.

The problem I've seen with "I don't need a degree!" people is gaping holes in their self-taught education, missing things that every degreed person learns.

Yes, I'd trust an OMS from Georgia Tech over "I read some books and here's a good portfolio of personal projects". I'd be seriously concerned that the latter missed stuff any MS in the subject should know.

> The problem I've seen with "I don't need a degree!" people is gaping holes in their self-taught education, missing things that every degreed person learns.

I know people with degrees who have gaping holes in their knowledge.

Remember the old adage "C's get degrees"? You only need to understand 50% of the material (C- grade point average in my country) to get your degree. That's not to mention people cheating or bullshitting their way though their degree. I knew plenty of people at university who were lacking basic skills, but managed to get pulled through by group assignments.

A degree certifies that you've been taught a body of knowledge, not that you've learned a body of knowledge.

Is it fair to say that self-taught people are more likely to have holes vs university-educated?

I'd trust an actual bachelors or masters degree over "self taught" too yes, but as someone else in this thread also pointed out this "online masters degree" looks like it only really covers 100 level bachelors content and not much else.

If it’s like the OMSCS they cover lots of topics that are covered in anundergrad but the marking scheme is that an undergrad A guarantees you’ll pass and if you want an actual A on the course you’ll have to work harder. Any OMSCS grads feel like (dis)confirming?

Currently in OMSCS, after very recently taking some bachelor's level courses. The OMSCS classes are significantly tougher, go far deeper into the material, require more research and involve less hand-holding than the bachelor's level classes.

I interacted a bit with OMS CS students that were taking Udacity courses (there is some link between Udacity personnel/classes and OMS CS), and they all reported being flooded with difficult homeworks/projects, often racing against the clock to submit things before deadline. Some classes even take >40h/week according to them. It doesn't seem to be anything trivial as you'd have implied; more like a proper MS from a Top-10 school. Imagine you need to get a lunar lander module landing on the moon in OpenAI gym via Deep Reinforcement Learning, write your own real-time Augmented Reality system as your final project in Computer Vision, beat real-world radiologists using the very latest Deep Learning research from Stanford as a final project in health informatics, write your own Swift-like compiler etc. Does that seem trivial? If anything, it's awesome people can learn those things online with the proper academic rigor and without dumbed-down curriculum.

I believe it's not really hard to check one's competency level in STEM fields. Suppose you're interviewing those with bachelor's degree in math. Intro to Abstract Algebra and Real Analysis are two of the core requirements for those in undergrad math. Admit all those with papers automatically. Place a super high bar of responsibility and expectations on the so called "self-taught" ones. For example, accept only those who can solve every single problem in Hatcher's Algebraic Topology cold. I doubt even 10% (numbers out of my ass) of the undergrads in the US are capable of this feat. Anyone who taught themselves this shit (gaping holes or not) can kick some serious ass. Sounds fair to me.

It‘s usually not about finding the correct solution to a specific problem, but rather the approach one chooses to solve a specific problem.

Asking self-taught people questions from one domain is exactly the way you won‘t find out if they have skills missing that are necessary.

The idea is that any one who masters some obscenely difficult area can easily be taught anything they are missing. Hell, you can tell them to pick up whatever you need them to know on the weekends. The book and the subject matter I suggested so happen to be brutally difficult. Anything they have to learn at your org will likely be trivial by comparison. Any one who learned this book on their own can easily walk in and out of any math PhD program (let alone other subjects).

As someone who did a bachelor's at GT, students constantly complained that none of the classes prepared you for Day 1 of a job.

GT's collective response was always that that wasn't their job. They expected you to pick up {new-js-library} while you were studying.

Their job was to "train you for the last job you'll ever have."

And there's a certain wisdom to that. I can learn a new library -- I'd be unlikely to learn the full networking stack, RDBS internals, the history of hardware / software development, or OS & processor memory handling.

How would you trust it compared to 5+ years experience with CISSP and possibly one of the more advanced ISC2 certifications or any of the SANS GSEC certs?

I understand that you are saying any accreditation is better than none. I am just playing devil's advocate with an accreditation alternative to formal education.

The two curricula are incomparable. A CT MS is academic; the courses are formal college courses, independent of a sponsoring corporation and its commercial S/W products. The role it prepares you for is IT management. Certificate programs prep you for staff level work, as an implementer.

Here are the 3 possible curricula for the GT program:

Core: Introduction to Information Security (CS 6035) Information Security Policies and Strategies (PUBP 6725)

Info Security Track: Applied Cryptography (CS 6260) Secure Computer Systems (CS 6238) Network Security (CS 6262) Information Security Lab (CS 6265)

Energy Systems Track: Smart Grids (ECE 8803) Introduction to Cyber-Physical Electric Energy Systems (ECE 8803) Introduction to Cyber-Physical Systems Security (ECE 8803) Computational Aspects of Cyber-Physical Systems (ECE 8803)

Policy Track: Introduction to Information Security (CS 6035) Information Security Policies and Strategies (PUBP 6725) Information and Communications Policy (PUBP 6502) Privacy, Technology, Policy and Law (CS/MGT 6726) Internet and Public Policy (PUBP 6111) Scenario and Path Gaming (INTA 6014) Data Analytics and Security (INTA 8803) Information Policy and Management (PUBP 6501) Challenge of Terrorism in Democratic Societies (INTA 8803 G)

I think it's a valid question since the CISSP seems more geared to managers, not "staff-level work." The most common advice I've seen about answering questions for the CISSP exam is "think like a CEO."

You would trust the OMS to do what exactly? Opine on computer science theory? Perhaps. Do solid work for you? That's a much closer call, in my opinion.

s/things every degreed person learns/things every degreed person is supposed to have learned/g

I am a Senior Software Engineer in my mid thirties doing an Online degree at a local university of applied science in Germany. I am doing most of the work at home and just go there 4 times per semester and once for exams, but i have a lot of deadlines for assignments during the semester, while i work a fulltime job obviously. As far as i can tell, they apply the same standards to exams and grading than they do for normal on-campus students and I need to go much deeper into subjects than i would if i would self study for fun, to get good grades. I also need to study stuff that might not be on my list if i would only self-study, but in the end often is really valuable.

Maybe some people can go really deep into topics when learning by themselves, for me the fact that i need to pass an exam and want a good grade helps a lot to go the extra mile on some of the harder stuff.

So when someone says an Online degree equals "I read some books and here's a good portfolio of personal projects" i honestly get mildly offended.

where is that? I also live in Germany with time constraints...

In my case it's https://www.vfh.de/ which is a group of Universities of Applied Science throughout Germany that offer a selection of degrees. I myself am in Berlin, experiences may vary between different universities. I am doing a Medieninformatik Degree which equals something like "Computer Science and Digital Media", meaning some emphasis on Computer Graphics, Web/Mobile Development combined with CS fundamentals etc. If you want a Degree from a research University in pure Comp Sci, Fernuni Hagen is the only options for remote studies afaik.

That is great. Are you very fluent in german?

I speak okayish german. Can definitely understand and work with it, but I think that writing a essay in German for me might be too much. So I've been delaying my MsC until I learn better German, but this will take forever.

I am german, so yes i guess you could say i am fluent. However, since the studies are mostly remote and a lot of communication is in written form, you should get by with okayish german during the semester and exams. There are quite some essays to write and presentations to hold though (more in the Master than in the BSc), so i am not sure how that would work out but could also see them being flexible and let you do it in english, since it's smaller groups and thus more personal mentoring. This is just a guess though.

Otherwise you'd need to try something like Internationale Medieninformatik at TU Berlin which is in english, but not remote unfortunately. Otherwise maybe the Open University Masters is something for you, or of course the GTech MSc which is quite a bit more expensive though.

Not OP, but from my research Fernuni Hagen is supposed to be good

https://www.fernuni-hagen.de/mi/studium/msc_informatik/ (German only)

Around 1000€ for the Computer Science Master.

I'm interested as well. Are the courses in English?

For the remote programs unfortunately I think they are german only.

Taken from the FAQ:

How will this degree appear on my diploma and/or transcript? The name "Online Master of Science" is an informal designation to help both Georgia Tech and prospective students distinguish the delivery method of the OMS program from our on-campus degree. The degree name in both cases is Master of Science in Computer Science.

The point stands that it would be relatively easy to know which version someone completed (you worked in New York but got a masters at Georgia Tech?). I personally believe the value to be roughly equal to a "real" degree.

I think the question is less whether the "online" part of the degree is problematic, and more whether the "masters" part is. Pay-for-play vocational masters degrees are kind of a known quantity in the field already. A BSCS from GATech is something! An "MS in Cybersecurity" is something else.

They aren't exactly the University of Phoenix, either.

Compared to the average cost for an online degree from a decent university, I can see a lot of people compromising over only 10K - even if some parts of the program aren't perfect.

They aren't, but, as someone who holds a non-academic Master's degree, I think I still support the distinction - MA and MS should be reserved for people who've defended a thesis. Conferring it to people who have completed a professional education program is muddying the waters.

That seems a bit self-defeating. A thesis is just a longer than average paper, there's nothing magical about it.

I'm in the CS program and the rigor is definitely there. It's not pay-for-play at all, although I am not sure that's what you're suggesting.

Georgia Tech has a top tier CS program and I am not disparaging it. I'm talking specifically about vocational masters degrees like this Cybersecurity thing.

Makes sense. I’m curious, what are your thoughts on vocational certificates for other industries?

> Is an OMS from Georgia Tech more convincing than "I read some books and here's a good portfolio of personal projects" ? It's a hard sell.

Part of the price is GT's credibility. Someone not familiar with security may not be impressed with a portfolio of personal projects.

I suspect that will be stigmatic, or is already.

The FAQ on EdX says the certificate is identical to the on-campus one, it doesn’t mention “online”.

In the UK we have had “distance learning” for a long time (Open University) and there is no stigma attached, OU is probably actually more prestigious than most ex-polys.

It's hypocritical of the business world to use open source software but reject open education.

To the business world, open source is just a business calculation and HR really doesn't care about it except when it's useful as a recruiting tool. The same is true of hiring decisions and open education. Degrees from well known universities are part of a cost/benefit/cover-your-ass strategy in hiring decisions so when open education has proven itself to the degree that open source software has, then it will be as widely accepted.

The business world uses microsoft windows and office. Couldn't care less about open source.

University of Liverpool has an online MSCS program for a while too with the same certificate as if it was on-campus.

It mirrors an on-campus program. Online !== self-study.

If it's like OMSCS, it will be a simple MS, no mention of online. The method of delivery isn't really relevant, just the content.

I think it depends on how it's done and who it's offered by. Georgia Tech is one of the best US overall engineering programs in the US and I'd hope they would take this seriously and employers or other credentialists take it seriously.

I took a master's course in cryptography at a university as part of a job perk. The IRL aspect was lectures and office hours sometimes. The professor did not have a great grasp of the English language so I had to work with other students and do extensive internet research to understand things.

I also did one of Udacity's FEND program. It had a Slack channel and pretty cool feedback mechanisms for homework and tests. If the grad school class had that I think I would have enjoyed it more and had greater mastery of the subject.

I think it's past time for us to consider OMS legit instead of automatically second-guessing them.

There’s a lot of money getting dumped into all things cyber, and its attracting waves of people like flies to a lightbulb.

It’s also a place where marginal people can burrow in or even thrive - either doing policy work (in the form of monk-like transcription of NIST documents), being a gatekeeper for exceptions and reviews, or doing threat intelligence. Figuring out how to measure and hire people is hard, and banks and Federal contracts need to fill thousands of chairs.

The racket of expensive certifications was restricting the talent pool, so these cyber security programs are sort of like a substitution for that. This isn’t going to ever produce real technical leadership — the smart people are ultimately engineers who do interesting security things. IMO it’s a waste of potential — smart kids are bypassing Computer Science or Engineering for a much less rigorous education.

> IMO it’s a waste of potential — smart kids are bypassing Computer Science or Engineering for a much less rigorous education.

There are some opposing forces at play that students and new grads may not quite understand: Computer Science and Software Engineering (boot camps by extension) are basically branching paths to the same entry entry level job, but where you go beyond that can have a stark difference.

I always ask our interns a few questions about their education when they start. One of the chief complaints for CS students is that they don't learn enough practical knowledge to enter the work force. They talk about people who went to a boot camp or were self-taught, and they always express that those people are much more prepared for a given position. Thus we have students who are looking for SWE courses but are taking a CS curriculum. In my experience, no one bothers to make the distinction until it's too late.

True story that drives this home: Our client hired an intern who didn't think a CS degree was practical. He clearly had gaps in his skill set, but I chalked it up to him being a college junior. He was given a small task to parse some text, and I suggested regular expressions (the programming construct) - something he said he had experience with. He came back to me a hour or so later utterly confused on how people could catch all of the edge cases and branching paths that a small regex can generate. Turns out he hadn't taken formal languages yet. I sat him down to build a DFA and talk regular expressions (the formal language concept) with JFLAP[0], and it blew his mind. That conversation changed his entire outlook on CS degrees.

[0]: http://jflap.org

What would personal projects look like for cybersecurity work?

It probably depends on the market where you’re job-hunting. In tech worker starved areas like the Midwest and South, it’s probably a sufficient credential. Either of the coasts, obviously less so.

Hopefully they will have something more advanced in the future, possibly calling it Masters of Science in Cyber Engineering with course work similar to the following:

  [*]Introduction to Graph Design and Theory
  [*]Secure Network Design, Theory and Implementation
  Introduction to Analog and Digital Signal Processing
  [*]Assembly for IA-32 and x86_64
  Assembly for PowerPC, MIPS and ARM
  [*]C/C++ Programming for Windows, Linux and MacOS
  C/C++ Programming for Android, iOS and Embedded Systems
  [*]Python Programming
  [*]Advanced Python Programming
  [*]Automated Testing Theory and Implementation
  Advanced Graph Theory
  Introduction to Game Theory
  Advanced Game Theory
  Building Secure Scaleable Systems and Networks
  Building Big Data Analytics Systems
  [*]Automated Defense and Offensive Systems Theory and Implementation
  [*]Information Assurance Policy
  [*]Reverse Engineering Windows, Linux and MacOS
  Reverse Engineering Mobile Devices and Embedded Devices
  Reverse Engineering SCADA Systems
  Advanced Analog and Digital Signals Processing
  Cryptography for Engineers
  [*]Vulnerability Research Theory and Methods
Updated - [*] Core courses.

If the individual could make it through the above, they would be very knowledgable, experienced and ready for many of the hard problems in the realm of cyber that employers are wanting in extremely high demand.

Your list strikes me as significantly more than a typical master's degree would cover.

Yes, that list does look bit overblown. Most MS in US need you to take 12 classes, each of 3 credits = 36 credits to graduate.

Yeah, many would probably have to be broken down into electives, but if all of them were taken the graduate would be an extremely strong cyber engineer versus the current easy cyber degrees that are available now that do not really cover what cyber engineering employers are looking for. Most of the degrees are very general and do not go into depth or build a strong engineer during the process.

I would have to guess a Ph.D. in Cyber Engineering to start off near the Vulnerability Research work. Starting with a higher emphasis on research in cryptography, building tamper resistant systems, maintaining integrity and confidentiality on mobile desktop, server, SCADA and embedded systems.

Then kernel development, in depth work with creating custom applications that deal with TCP and UDP security and analysis, deep dives into the inner working on how various IoT devices work, building autonomous cyber reasoning systems, automated cyber ranges, and or automated policy client/server enforcement systems.

A PhD is about doing novel work and pushing the state-of-the-art, you can't get a coursework based PhD.

> A PhD is about doing novel work and pushing the state-of-the-art, you can't get a coursework based PhD.

That's the USA philosophy of advanced degrees; it does not reflect the practice of every country.

And given standard scholarly impact statistics for completed theses, it arguably doesn't reflect reality either. Maybe we should start admitting that most PhD candidates haven't made a significant contribution to the state-of-the-art, most future candidates aren't going to, and the nominal requirement to do so isn't helpful?

A Ph.D. is mainly about research, the courses you take leading up to your dissertation should still teach you more in-depth technology to help insure you are an expert in the field of the degree at the graduate level. Without this in-depth course load you will have weak research and would not have a good in grasp to be able to create anything new, state of the art that helps push the industry forward through advanced research along with being employable.

If you come in the door with these credentials you will be highly qualified to be at least a principal cyber engineer. Your in depth research would makes serious waves in the industry and with real world experience it would be an amazing win-win situation for you and the company that hires you, or even better your own business doing cyber research.

This is a complete waste of time and money with the usual bullshit material taught by people who don't really have a clue and completely-out-of-touch-with-reality academic focus (write a buffer overflow!).

If you really want to learn invaluable cybersecurity skills, start playing wargames. I suggest (1) which is one of the best. If you manage to reach level 25 on your own, then you are elite and the knowledge you gained doing so is not only extremely valuable but something you can be proud of.

(Sidenote: I would hire anyone who reached vortex level 25 on the spot and pay him a six figure salary, without looking at any of his other qualifications/degrees/past experience)

Additionally, read every single phrack (2) magazine from the past 20 years and try to understand most of the material within.

(1) http://overthewire.org/wargames/vortex/

(2) http://phrack.com

> (Sidenote: I would hire anyone who reached vortex level 25 on the spot and pay him a six figure salary, without looking at any of his other qualifications/degrees/past experience)

This is a strong statement. I remember reading somewhere that Bill Gates said he would hire anyone who has read The Art of Computer Programming by Knuth.

I think these challenges should be collated and put up in a website where motivated individuals can grab the opportunity to prove themselves.

Reading != doing

I take the same approach. Have been around many well qualified people who lack critical thinking and thus suffer poor output. There is no amount of education that can correct for this.

My coworkers who stayed in security all did the master's route instead of the competent pentester route..

There are a lot of jobs and they are a lot more stable for people who have studied the fields academically. There's some high pay for those who haven't, but a lot of it ends up being temporary.

Security is a much larger field than what the game you linked covers.

Almost every single comment I've seen on this page is about how the parent comment/post doesn't understand what security is about...

Most of the comments I see are about the reputability of an online degree, the value of getting a degree, and comparisons to other similar options. I'm not even sure we're reading the same comments section.

+1 to vortex. I participate often in CTF competitions and it's my go to recommendation for serious people looking to get more involved. Most of the early stages are great because they are no nonsense - they give you the papers explaining the solution, and just ask you to do the work of understanding and implementing them.

Stage 16 is one of my favorite challenges all time. It took me weeks to solve and the solution is very impressive.

I've been stuck for the last few years on stage 23. Unlike the rest of the challenges it is a stenography level, and I'm not convinced that it is still solvable today.

> I'm not convinced that it is still solvable today.

This sounds fascinating since progress does not tend to work that way. What is it about this problem that leads you to think it was solvable in the past but no longer?

The challenge in question is just a jpg of the logo of ruxcon 2004. The password for the next level is presumably steganographically encoded in it. The challenge is much easier (and perhaps only possible) given the original image, but the logo is no longer on the internet. After scouring web archive and using all Google fu at my command I found some instances of the image but all in different sizes/dimensions.

The name of the level is "the properties of a mirror" which hints that you need to find a mirror of the original site in order to solve the level, and I think that the mirrors are no longer online.

Note for anyone unfamiliar that this level is not at all representative of vortex - all the other levels are all hard core exploit implementation and not stego challenges. In general I don't like stego because I feel that it is more of "try to guess what I'm thinking" than solving interesting challenges.

> The name of the level is "the properties of a mirror" which hints that you need to find a mirror of the original site in order to solve the level, and I think that the mirrors are no longer online.

I would assume that if this were the case someone who has already completed that level could check if where they found it was still up? Perhaps this is not the interpretation of the level name that the writers had in mind?

The challenges are years old and not actively maintained. Until this thread I haven't seen any people who passed level 12 or so

> (Sidenote: I would hire anyone who reached vortex level 25 on the spot and pay him a six figure salary, without looking at any of his other qualifications/degrees/past experience)

It may be obvious but I'm currently drawing a blank. What are other possible non-programming examples of reaching a certain level in a game and that being worthy of an immediate hire (not including the video game industry)? Complete courses via gamified education is a cool concept.

Its not really a game, but a series of tests that have been gamified. I am sure you could do the same with leetcode.

Thanks for sharing Vortex wargame!

> I would hire anyone who reached vortex level 25

What would be the position/role?

I'm not currently in a position to hire people, see my previous reply to danesparza.

Doing these and other similar challenges and reading and understanding phrack articles would give you a solid foundation to start doing reverse engineering and vulnerability research and reap the rewards that come from successfully doing so.

> Sidenote: I would hire anyone who reached vortex level 25 on the spot and pay him a six figure salary, without looking at any of his other qualifications/degrees/past experience

Anyone reaching 25+ would either:

1) Command significantly more than just (low) 6-figure salary

2) Won't be willing to be hired as an employee

Having done 25 myself, I was willing to get hired as an employee doing reveng a long time ago. But that was before 2010 and you're probably right today. Good reverse engineers can print money and don't have to work for pointy hair bosses. Good point.

I think what you're referring to is pentesting. Agreed, for pentesting I highly doubt the course will be of much benefit.

However, for developing compliance and architectural plans for a large enterprise, it's quite a bit more complex problem.

What I'm referring to is the core of cybersecurity:

Reverse engineering & vulnerability research.

Unfortunately, that doesn't help much if you're managing security for a group of 500 engineers releasing product everyday.

I appreciate your mentioning overthewire and claiming that you'd hire someone on the basis of their ability to make it through these challenges.

I do wish more CTFs kept their challenges online after the competition: good ones and these wargames form what are essentially the problem sets for a top-tier exploit engineering program.

I cut my teeth on these wargames, as well as pwnable.kr/tw and, of course, microcorruption. While working through some of these challenges and finally popping a shell was definitely satisfying, I'm not sure I'll feel "elite" until perhaps I take home master of pwn at cansecwest.

Is it a waste of time and money though, if you want MS on your resume?

It's a known fact that MS-holder salaries grow faster than BS (and PhD faster yet). So seems like financially it's a no-brainer.

The cost of a master's or doctoral program is significant. It's not just the price of admission, but also the opportunity cost. Most employers who will do education reimbursement only cover a small portion of the cost.

If you leave the workforce to study full-time, then it's often free (with the caveat that you must have a research assistantship or teaching assistantship), but then you lose out on multiple years' worth of salary.

So it's not a "no-brainer," financially speaking.

Thanks for sharing. Just out of curiosity, are you in a position to hire somebody -- or are you just suggesting that you would be a willing teammate for somebody with these criteria?

I am, and I disagree with a lot of what the OP put forward.

Security academics, self-taught pentesters, and people who simply gained hard security experience in their day to day jobs each bring something unique to the table. I'm far more likely to pick up the principal engineer with a security MS for a security architect role than I am someone who can prove to me they passed an OSCE.

That said, for the person who can prove to me they passed an OSCE, I'll knock two years off the pentest experience requirement for any such role.

I'm not currently in a position to hire people, but having served in that role in the past, I would given the opportunity not hesitate to follow through with what I said (practical concerns aside such as figuring out if someone went through the challenges on his own).

So my comment was mostly trying to illustrate that the skills one learns by going through these kind of challenges are extremely useful in practice and the skills one learns by doing an Msc of the sort advertised here pretty much completely useless, assuming one wants to do reverse engineering and vulnerability research and not just push paper, point at his Master's and call himself a "security expert".

Thanks for the wargame. Seems like fun, although the SSH connection feels like it's hosted in someone's basement.

Is that supposed to be cheap or affordable? As far as I knew online courses are up to a few hundred to get an official certificate. And I just graduated last week from a similar master's for €2k in a brick and mortar school. What's special about "under 10k" for an online study?

Edit: from elsewhere in the thread, I understand that a degree is more usually more expensive than 10k in the USA? I guess a lot more, since this is making headlines? Is that also the typical case for online degrees?

There are three aspects that make the Georgia Tech masters programs incredibly compelling:

1) The degree earned is the same exact as what the on-campus students earn. Exact same diploma - no mention of 'online'

2) It is a top ranked program (the MS in CS is ranked #8 - not sure about this Cybersecurity one)

3) It is (relatively) cheap at under $10k

> 3) It is (relatively) cheap at under $10k

Well it objectively isn't, and 'relatively' doesn't help me in understanding how expensive a degree normally is in the USA.

It's under $10K for an accredited Master's degree in the United States, where higher-ed price have soared over the last thirty years.

For an accredited Master’s degree from the #8 CS program in the US* - https://www.usnews.com/best-graduate-schools/top-science-sch...

Which is to say, you might actually have to learn something if you go to CMU, UCB, MIT, Stanford or UIUC; instead of just leeching off of your group-project teammates.

(Not that I've ever had any experience on the receiving end of this... /s)

For comparison I briefly took online masters classes from my alma mater, a state school that is not especially heard about often, and it was approximately $2000 per class.

As anecdotal data: The Masters program I took (not in Cybersecurity) is offered online for the same price as it is in person (I did it in person). If I were to do it again today, according to its website, the program would cost a total of $37,000 (€32,5k) in tuition, not including books, etc.

Exactly. Most MS degree programs in the US cost $5000 per course, and 10 courses are required. That's $50,000 in tuition, so $10K is a great price. GT's MS degrees are easily the most affordable grad degree from an elite school in America.

10k is extremely affordable at an elite CS school worldwide. No offense to wherever you went, but Georgia Tech is almost assuredly higher rated for US private sector by quite a bit. This even applies if you went to TU Delft based on your bio.

Worldwide it holds less prestige but in the USA for the major companies, GT is very highly regarded and the students are heavily recruited.

I think this 31337 school thing is also USA-specific and not as important in the rest of the world.

When I interned at Deloitte (here in the Netherlands), there were a lot of employees from two particular IT security studies. There was teasing and slight rivalry back and forth of course, but it definitely wasn't that one camp got paid more or was hired more easily than the other.

In fact, if you were to ask, most people would tell you that any vaguely relevant master's would do (and get paid similarly) since the company has to teach you the specifics anyway. Now I've noticed that's not entirely true, they will definitely frown upon a network engineering graduate applying for a security job, but you'll still get the job if you can convey your interest in the field.

lol no.

Job market for GT BSCS grads is the same bollocks as most anywhere else. I say, save your money and go someplace else (or self-teach) and then use a recruiter that knows wtf they're doing; that's what will make the difference.

It sounds like you just have no regard for a formal education -- which is fine. However, for many, it's still a great indicator that you have had at least some training on the fundamentals of your practice area.

The job market for GT grads is the same as everyone else, yes, because it's unlikely a job is going to magically open just for a GT grad. However, I guarantee saying you hold a GT BSCS catches the eye of recruiters more than a certificate from Udemy or no education but some experience.

I spoke and speak from personal experience; and I'm not going to copy-paste my HN profile.

I do in fact hold rigorous formal education in high regard. But I doubt that more than about 70% of GA Tech BSCS holders have actually received such a thing; and a result from a 70/30 binary distribution is not a very informative piece of evidence.

I don't doubt that a Udemy cert alone is as close to bubkes as you claim. I do doubt that an Anytown State University degree is in the same bucket as Udemy certs, rather than the same bucket as a BSCS from GA Tech. I have also seen recruiters that can very easily convert autodidacts' and Udemy grads' raw experience and competence into employer signals.

I'd really like to see them do this for an undergrad. I never finished mine, which hasn't really held me back in my career except for wanting to pursue a masters. I've looked around, and I've never really found what I consider to be a respectable online undergrad for less than about 50k worth of tuition.


University of Oxford Master’s in Software Engineering


University of London (Queen Mary’s) MBA


SOAS University of London Master’s in Finance

All of these Master’s will admit students with enough relevant work experience without a Bachelor’s degree. If your work experience is tangential to what you want to study they might tell you to go do a MOOC and apply again with proof you did well in it.

GA Tech does admit some students to the Masters programs who don't have bachelor degrees. The Micro Masters programs at edX may be a way in to the MSCS programs without the undergrad step. One benefit of the MM programs is that they're basically open access. You do what is essentially 1/4 of the degree online first, and if you do well you may be admitted to either the residential Masters program or the online program. Disclosure: I work at edX.


Unless I misread the below they prefer a Math, CS or Engineering Bachelor’s and a Bachelor’s of some kind is an absolute requirement.

> Preferred qualifications for admitted OMS CS students are an undergraduate degree in computer science or related field (typically mathematics, computer engineering or electrical engineering) from an accredited institution with a cumulative GPA of 3.0 or higher. Applicants who do not meet these criteria will be evaluated on a case-by-case basis; significant professional or other work experience with supporting recommendations may qualify as an adequate substitute for the appropriate academic credentials, however work experience will not take the place of an undergraduate degree

For Gatech, BS is required for sure, because that is the basic required of on campus program.

Not an absolute truth. I know this for a fact.

^ yea I'm also not seeing anywhere that this is true. I'd love to hear that it is.

I know people who have been admitted to MS programs without an undergraduate degree. Both had significant progress towards their BS/BA (one had an AA) and seriously good private sector work done (one at Microsoft, another at a startup) with either published papers or extensive open source contributions.

A lot of schools including GT will accept 3 years' worth of credits from a junior or community college. You can then finish 1 year's worth of additional credits and get the degree from the final institution.

A working person might be able to space out classes so that they can continue their full-time job, but I'm not sure.

Enrollment only available to those who can SQL inject themselves into the class registries

This is positive. More quality online degrees please.

You would still have to look into how these courses are structured. A lot of these online courses/MOOCs tend to be heavily watered down, even when they're offered by major universities.

So you're saying I can get an MSCS from a top tier school AND it won't be as hard as normal?

No. A BIG no. Stanford has been offering an on-line MS in CS for about 30 years using videos of the same courses taught on campus. Same tests. Same grades. The degree is exactly the same, on-line or not. Same for U of Illinois. Same for Ga Tech. The word "online" does not appear on the diploma. THESE ON-LINE DEGREES ARE EQUAL IN EVERY WAY TO ON-CAMPUS DEGREES.

Yes, there's a HUGE range of quality in on-line degrees these days. Many of the degrees are sold by degree mills calling themselves universities and cheating the hell out of their students. Almost all MOOCs are watered down subset of an on-campus course.

But the on-line degrees from these top tier schools do not suffer from that.

Yeah - but employers will see online and give it as much credit as if you'd watched a few youtube videos.

Where would employers see online?

the difficulty in a lot of top tier university is usually not the courses but more "getting in".

And if it were any other way, then our field would go the way of the lawyers.

A lot of these online courses/MOOCs tend to be heavily watered down, even when they're offered by major universities

I am curious as to your basis for this statement. Have you done many? Why would a prestigious institution be willing to dilute its brand in that way?

It's not true in Georgia Tech, at least in OMSCS. After you finish 10 classes you will have done 20 to 40 projects and as many exams, in addition to homework and papers.

You will at least have a rich gitHub repository if you go through it. If you try your best you will also learn a lot and make connections.

The advantage of a part time masters is that the connections are of a much higher value. During your undergrad you and all your connections will go on the job hunt. In a part time masters some of your connections will be hiring.

I'm currently in an online MS Information Assurance program offered by Iowa State University. It's both more expensive than this offering (although not by a lot) and from a university with a lot less name recognition. I mean, besides that it's probably in Iowa.

So on the surface the GATech offering looks superior. However, I can't help but wonder how the "at-scale" model changes that. At IA State I'm "in" rather small classes and have very ready access to the instructor by email and phone. My work is also almost all graded by the instructor directly, most courses aren't big enough for a TA to have been hired. So I feel like it's a fairly personal experience, despite my physically being several states away and watching lectures recorded. I'm working on forming a committee for my thesis this semester so I'll be conversing directly with the faculty even more.

I wonder how an "at-scale" program like this, which seems to get built more on a MOOC model, will compare. Will it feel nearly as much like receiving direct instruction from an expert, which is what I would want a graduate program to be, or will it feel more like an off-the-shelf mass produced training package? That's a big concern to me.

Edit: I also feel like it's worth noting that my program confers an MS, with either thesis or creative component at student choice. I suspect this will be viewed more favorably by employers and others than an "OMS," even with a big name on it.

I looked quickly at some online master offering and you are exactly describing the struggle.

Some places seem to charge an enormous amount of money (>40k$) and some other a fairly small amount of money (<5k$).

Unrelated to the price, some are simply a glorified version of a Coursera MOOC with a non personalized experience while some other seem to offer a lot of 1:1 and side project opportunities directly with the TAs and teachers.

This field is in full revolution, but it feels like a lot of universities see this as an easy way to get a couple thousands extra dollar for only posting the lecture videos online.

This is a phenomenal field choice for an online degree. I'm a little surprised that they didn't have a professional institution co-sponsoring it (like AT&T did for another GT program). One of the big players like Splunk or Symantec seems like an ideal fit for this.

Still sad that Coursera/Udacity etc didn't really solve the course accessibilty problem though.

Master's degrees are cool, but what about Bachelors' degrees ?

There's an online BS CS on Coursera. I can't really imagine how that works though because a BS typically isn't as specialized as an MS.


It is offered by a British university. Undergrad degrees are more specialized here than in the US, a BSc in Computer Science is a completely normal thing and is what the majority of British CompSci grads would have.

They’re well on the way to solving the accessibility problem in terms of having all the materials available to cover a Bachelor’s in CS if they’re not there already. Coursera have partnered with the University of London to provide a Bachelor’s in CS. And the company launched in April 2012. The different MOOC providers may not have disrupted education but they’re off to a good start.

Has anyone here taken this degree program on campus? Would love to hear your thoughts about it.

This program was just announced. So the first cohort hasn't started yet. There are a bunch of OMSCS students in this thread though who have taken some of the classes.

The online program has actually been available since 2010 or 2011 I believe, the on-campus program since the 00's. The difference now is the price.

At the risk of topic hijacking, I was looking at Northeastern's cybersecurity masters program the other day. What do people think of this?


GATech brought in $68M from their $6,800 CS degree?

"OMS Cybersecurity is Georgia Tech’s third at-scale online degree program. It will follow the same model as the groundbreaking online Master of Science in Computer Science (OMSCS) program, which launched in 2014 on Udacity with support from AT&T and has enrolled approximately 10,000 students overall for the $6,800 degree."

You don't pay the full cost up front, and there is a substantial dropout rate + it typically takes at least 3 years to finish OMSCS. So the real number is probably a fair bit below $68M right now.

Some of that goes to Udacity.

Also, $6800 is on the optimistic side, probably achievable only by maxing out the number of courses that can be taken simultaneously (I believe the concurrent limit just went down, too). For the average person taking it one-class-at-a-time, it's a bit over $8K.

It comes out higher than that. Mine was about $10k all-in.

Textbooks? I've been paying $811/class so far.

Same here. Did the degree previously require 12 courses instead of the current requirement of 10? I feel like when I first started looking into the program before I joined it was 36 credit hours, not 30.

Good call, it looks like that is exactly what happened [0]. I wonder what drove that change?

[0]: https://www.reddit.com/r/OMSCS/comments/2ydahe/how_long_time...

As the home site I used to go to for the hacking zine Phrack, it seems very appropriate they would do this. The courses though seem more generic than I'd expect. I tried to find the old gatech.edu site for phrack to ad the url here, but all I find now is phrack.org.

Another poster listed the curriculum. As a security professional from a top software company I am not really impressed.

The curriculum is as follows (tech specialization, the others are worse):

1 intro to security

1 intro to policy

1 hands on lab

1 crypto

1 netsec

2 it security

choice of (2):

basic CS courses (i.e. mobile apps, operating systems)

None of that will help you get a job at any company with a serious security org. All of those courses from what I could find are the same introductory level electives you can get in your BS degree in CS.

It is not a specialized program, it is more of an introduction to security and CS at the MS level.

Things that would help:

Client XSS, Authentication / Session Management, Secure client/server architecture, defining access boundaries, phishing / social engineering, red team / blue team setup, automated vulnerability regression tests, SSDL, threat modeling, etc.

Your list of "things that would help" are topics that (I imagine!) should be covered in intro to security, netsec, or IT security -- e.g. as 1-week or 2-week sections during the respective courses. Very few of your topics should be dedicated courses.

Agreed. Those topics are very specific instances of general principles that are usually taught in a security course.

What did OP mean by "secure client/server architecture" though? What are the basic/fundamental principles behind it, that are NOT covered in cybersec education?

I'm a grad of the OMSCS program. The "netsec" subject covered all of the "things that would help" and some in detail with practical projects.

"Client XSS, Authentication / Session Management, Secure client/server architecture, defining access boundaries, phishing / social engineering, red team / blue team setup, automated vulnerability regression tests, SSDL, threat modeling, etc. "

^ I am in no way trying to be offensive here. But if you are already a programmer, with the exception of "threat modeling" and "regression tests", it seems all those topics combined would take a week to learn?

If "learn" is "has seen and memorized a checklist", then maybe. Don't expect people that "learned" like that to be able to do much in practice with that though.

Yeah. Security is best learned after creating software for four or five years. Before that you're not going to have enough of the pieces to think about it creatively. Things turn into "rules-games" where everyone else has to tell you the rules. Also, I think studying data science is underrated for cybersec.

As a cybersec consultant with experience working with many security organizations, I wholeheartedly disagree. There is a lot more to security than things that have to do with software engineering. In my experience, the companies with the worst security are ones that primarily employ current or former software engineers as leaders of their security teams with a misguided mentality that security is just a subset of software engineering. Because of that mentality, they tend to focus on a very small portion of security principles.

Most vulnerabilities include or source from some sort of poor software engineering though, which may root from said issues, among other things. Most of these vulnerabilities (including some hardware vulnerabilities) are discovered and exploited with clever, creative software engineering / exploit development.

I know cybersec is extremely broad, but I think software engineering plays an extremely important role.

I certainly agree it's an important part of security, but that's vastly different from "you should have 4 years of engineering experience before you can start learning security".

Speaking practically, the vast majority of companies that experience one of the vulnerabilities you are referencing are not going to be patching the code themselves - they're going to be updating their infrastructure with code that was written by someone else. And before they even get to that point, they are going to have to have policies/procedures that alert them of that vulnerability, that assess how important patching that vulnerability is, that determine cost of patching/not patching, that determine how to receive that patch, and that determine how to apply that patch. And all of those things involve much more than programming.

One of the other largest parts of defending a company from being hacked is training and protecting employees from social engineering/phishing attacks, and that's something that doesn't involve writing any code (or even knowledge of code) at all.

Fair points, thanks!

> There is a lot more to security than things that have to do with software engineering.

I didn't say there weren't?

> In my experience, the companies with the worst security are ones that primarily employ current or former software engineers as leaders of their security teams with a misguided mentality that security is just a subset of software engineering.

Wasn't what I was advocating for.

I'm advocating for learning security after you have a base of software development. Not leading a security team with no experience learning or practicing security. Also, this is a huge and growing field, so I'm speaking generally, but I'm sure there are sub-areas where there are counter examples.

For instance?

Training and awareness, asset management, third party management, policies and procedures, legal (you should have lawyers looking over HIPAA/PCI/GDPR stuff, not a programmer), identity management, incident response, recovery & business continuity, communications plans, PR...

I could keep going. All of these things could have some software engineering component, such as with identity management: there is a component there that deals with (for example) writing code to integrate your web app with multi-factor authentication, but identity management also encompasses things like writing good access control policies, managing the legal requirements for access, training people on how to use that multi-factor auth, etc.

Engineering skills are of course of great use if you are talking about the security of a specific codebase or doing penetration testing or doing the nitty-gritty customization of a security application, but "cybersecurity" is much more than that.

From my experience I agree. Physical, legal and network controls often get neglected.

There are a number of organizations that apply data science, ML, and HPC to support cybersec operations. The ones I am familiar with would likely consider an MS in CS to be a good entry point. A candidate that also had another substantial degree would be of even greater interest.

>Also, I think studying data science is underrated for cybersec.

Can you elaborate? I know a lot of security teams will have large amounts of machine data thrown into ELK or Splunk, but that seems like qualitative data and so there's not a lot of number-crunching to do.

There's just so many things that are helpful from data science.

Graph Analysis => Saw some guys turn the Android codebase into a graph and use that to turn a dozen minor exploits into a chain that gave them root. Pwn2own IIRC.

Statistics => Great for detecting anomalies / understanding how to evaluate manipulation of cyber adjacent systems. For example, understanding the beta distribution lets you figure out how someone will game ratings in your app store to beat out legitimate apps with similar sounding ones. And of course all of these things cut both ways: if you're on red team it helps you masquerade more effectively.

Recommenders => Obviously useful to understand from attack detection, spam filter evasion, etc.

Linguistic analysis => De-anon attackers by the language they use. Figure out automatically which email accounts have been owned by sudden changes in speech usage.

Things like fraud detection come to mind. Being able to build a model based on previously detected bad actors and then use that model to detect possible additional bad actors is a specialized but useful skill in some contexts.

Statistical anomaly detection is quite valuable.

if you have enough qualitative data it becomes quantitative data and you can start do fun stuff with that

The "already a programmer" thing is quite a misconception here. Security has many topics and domains that have nearly no crossover with being a programmer. It's possible that many people entering this degree program have no past (or future) experience writing code.

Anecdotally, at my (one of the largest in the world) security consulting firms that hires from similar degree programs, a very small minority of people have any experience as a programmer, and a similarly small minority of our work involves writing/reading any code.

>"Another poster listed the curriculum"

I'm not sure why you are just reposting what someone else wrote, the course and curriculum are linked to in the second sentence of the article.

It's far more solid than your incredibly spartan summary:


Your list of "things that would help" are likely found in:

"Introduction to Information Security (CS 6035) A full spectrum of information security: threats, software vulnerabilities, programming for malice, basic cryptography, operating systems protections, network security, privacy, data mining, computer crime."

I disagree, every year I go over a hundred of new-grads resumes from top schools and interview for dozens of security engineer and researcher positions. My basic impression is that no undergrad program has any worthwhile undergrad-level security emphasis. I would definitely give someone with such a masters degree a second or third look.

It's my observation that a master's is often a "second field of study" after getting a bachelor's. Whether that should be or not is debatable. But I know people in the field of infosec that have less experience than this, so if someone really gross the content of these courses, I'd hire them.

Yes. When I did my undergrad in CS, the people doing Masters degrees were taking many of the same classes. Different course catalog numbers, but they were sitting in the same room with me, hearing the same lectures, and doing the same homework.

As this is a masters-level course, arguably readying people for management, I would add a course or two on compliance. Too many security pros know how to secure a system but know nothing about security standards. If you cannot explain how what you have done complies with various standards, all your effort will be torn down.

A course on documentation would also be prudent. Knowing the difference between policies, standards, and procedures will help you in any interview for positions above entry level. Knowing qualitative from quantitative, and being able to talk about abstract security theory, would be good too.

And some law. Some basic course so you can talk about negligence and liability without sounding like a wikipedia page.

As non-degreed developer who is looking to transition to security work, I was initially excited to see this program but had a similar reaction after looking at the curriculum.

Potential gems on the list might be the OS or networking course if they are run something like MIT's 6.828 with lots of lab coding and perhaps a bit of hand-holding, but if you can just clone last semester's 6.828 repo and get osdev'ing, why drop 10k to spend most of your time on courses that look like yawn central?

I think what I really wanted to see was a lab-focused curriculum for aspiring vulnerability researchers, so perhaps I was bound to be disappointed.

a lab-focused curriculum for aspiring vulnerability researchers

A MS is an academic degree so of course it will be heavy on the theory, and you will mainly be expected to do practical work independently on top. Same as an undergraduate degree actually, at least a good one. That stuff you call “yawn central” is the principles that will last your entire career, the stuff you learn in the lab will be obsolete in a few years.

Your list of topics sounds like what should be covered in security in a software engineering context more so than a computer science context. In computer science I would expect more of a deep dive in to the crypto math stuff.

Some of that is definitely covered in the curriculum, at least in the classes I took at GT that are part of this.

Was it covered in a theoretical sense where you took quizzes on it or in a more hands on way where you find xss exploits and exploiting them?

Intro to Information Security, for example, has four hands-on projects:

1. Exploit a buffer overflow in a C program

2. Use Cuckoo to understand a malware attack

3. Implement CBC encryption algorithm and a brute-force algorithm to crack it

4. Demonstrate an XSRF, XSS and SQL injection attack

Remember this is an intro course and there are about 2-3 weeks per project so you won't be an expert but I'd say it makes you aware of some of the basic security attacks and how to prevent them.

Georgia Tech biases heavily towards hands on project design. It was also rated the worst school in terms of work life balance while I was there. Grad level courses will easily suck up a substantial portion of your life, even if the content seems 'simple.'

My focus wasn't security, but the classes I took were hands on projects

> None of that will help you get a job at any company with a serious security org

Most of the jobs are with non-serious orgs. But yeah, paying $10k to get a basic bootcamp on security probably isn't going to inspire tons of confidence by employers.

Thank you! Do you recommend a few books or courses that would have better / more relevant coverage for people interested in the space?

It would be great if you could share a list of recommended readings for each of the things you posted. Thanks in advance.

Here's the requirements for GATech's standard Cybersecurity MS:

    CS 6035	Intro To Info Security	
    PUBP/CS/MGT 6725 Info Security Policies	
    CS/ECE/PUBP 6727 Cyber Sec Practicum	
    Elective (CS/PUBP/ECE 6000-level)	
    Tech Specialization:
    CS 6260 Applied Cryptography	
    CS 6238 Secure Computer Systems	
    CS 6262 Network Security	
    CS 6265 Information Security Lab	
    Any 2:
    CS 6210 Adv Operating Systems	
    CS 6250 Computer Networks	
    CS 6255 Network Management	
    CS 6300 Software Dev Process	
    CS 6310 Software Arch & Design	
    CS 6340 Software Analysis & Test	
    CS 6365 Intro Enterprise Comput.	
    CS 6390 Programming Languages	
    CS 6400 DB Sys Concepts& Design	
    CS 6675 Advance Internet Comput	
    CS 7210 Distributed Computing	
    CS 7230 Software Dsgn,Impl& Eval	
    CS 7260 Internet Arch& Protocols	
    CS 7270 Networked Apps&Services	
    CS 7292 Reliable Secure Comparch	
    CS 8803 Mobile Applications and Services
    Energy Systems Specialization:	
    ECE 8813 Smart Grids	
    ECE 8813 Introduction to Cyber-Physical Electric Energy Systems	
    ECE 8813 Introduction to Cyber-Physical Systems Security	
    ECE 8803 Computational Aspects of Cyber-Physical Systems	
    And any 2:
    ECE 6550 Linear Sys and Controls	
    ECE 6607 Computer Comm Networks	
    ECE 6615 Sensor Networks	
    ECE 6102 Dependable Distribut Sys	
    ECE 6320 Power Sys Ctrl&Operation	
    ECE 6323 Power System Protection	
    ECE 8813 Advanced Computer Security
    ECE 8813 Network Forensics
    Policy Specialization:	
    Select 4 courses:	
    PUBP 6502 IT/Comm/Telecom Policy	
    MGT 6726 Privacy Tech Policy Law	
    PUBP 6111 Internet & Public Policy	
    INTA 6014 Scenario and Path Gaming	
    INTA 8803 Data Analytics and Security
    PUBP 6501 Information Policy & Mgt	
    INTA 8803 Challenge of Terrorism in Democratic Societies
    And any 2: 
    PUBP 6701 Energy Technol & Policy	
    PUBP 6014 Organization Theory	
    PUBP 6401 Sci,Tech & Public Policy	
    INTA 6103 International Security	
    INTA 6015 Technology& Military Org
I'm pretty meh about this. In particular: when we think about the "cybersecurity talent shortage" (I don't believe that one exists, but whatever), we're thinking about what this degree program considers "technical specialization" roles. I don't look at that course list and think of a consistent cohort of people it produces that are especially ready to take on jobs in my field.

I'm also: why do they make Cybersecurity MS candidates take that pointless Applied Cryptography class? I read the lecture slides for it, and, like most university crypto classes, it's "just enough cryptography to make you dangerous, with just enough math notation to make you think you learned something really hard that you didn't really learn".

The MS core classes are an intro to computer security that might be workable as a 100-level class in a serious CS program, a "policies" class that looks just absolutely deadly (1 week on "HIPAA, GLBA, FISMA", then a week on the "NIST cybersecurity framework", then a week on "cybercrime and cyberwar"), and a capstone independent study program.

My advice: get an internship and skip the MS. They'll pay you to learn this stuff.

What makes you think that a 600 level course at a top 10 CS program is equivalent to a 100 level course at a "serious" CS program?

(I graduated from GT but didn't take the undergrad version of intro infosec, which is 400 level and is likely crosslisted with the on campus 6035. I also don't think infosec was the most rigorous of courses from what I heard, but still)

Because I went to the course site and read the syllabus and the prerequisites.

I agree that Georgia Tech is a top CS program. I don't think this is a top CS degree.

I guess my point is, if you consider GT to be a top CS program, then the fact that undergrad intro infosec is a 400 level course (on the easy side, but 400 level), would imply that infosec isn't a 100 level concept (this makes sense, before you can start to understand secure vs insecure X, you first should just understand X, without security being an implication).

My son just finished UIUC CS 125 (the programming intro class for non-majors) and he'd be fine with all the material I see in 6035. That's I guess how I'd sum it up.

If this is anything like the courses I did at GT, the courses might look simple, the content might not seem deep, but the meat of the learning will be done in the constant onslaught of deep diving practical assignments. Applied Cryptography definitely seems like it will fit the bill here. The Energy Systems Specialization looks like it dives deeper than the other tracks, though.

I agree that the credentialism is the real issue here. I wanted to go into security after graduating and couldn't find anywhere offering jobs with less than 3 years of work experience or a graduate degree, lucky if it was only a MsC requirement.

Not commenting on the class, but the talent shortage. It is definitely real. However, it is actually easier to find security engineers than product managers FOCUSING on security, leaders who are also good at security & can speak "past security" to the business. Security is often a dead end in the C-suite area... because of the personality quirks.

Can you elaborate more on product managers focusing on security? I just graduated with B.Sc in CS but am in a networking job now there is a lot to learn, am planning to branch into the security field after getting more experience (2-3 years)

I don't believe that it is real, but rather a byproduct of credentialism.

From this, I can trust that any GA Tech OMS graduate has covered those subjects to the satisfaction of an expert on the subject. Maybe "covered" is kinda thin, yeah, but at least I know they've been covered to at least a sensible minimum.

That vs having to interrogate a candidate on 22 subjects, identifying what constitutes sufficient coverage. I've seen enough self-taught developers who clearly haven't covered the basics to be concerned.

You should do both, the MS and the internship. Many cybersec practitioners that I have known are particularly poor at communicating their expertise to others.

Having taken that very Applied Cryptography course twice, I assure you it is not easy. One of the most difficult in the program actually.

"Easy" isn't the word I'd use. Dated and not especially useful, maybe. What practical work did they have you do? I'm only going from the course slides.

Practical depends on how you end up using the knowledge right? For people into protocol development/exploitation it was a valuable course which taught many fundamentals of discovering cryptographic operational methods, flaws, procedures, and how to design or fix. The reason you always hear people say "never roll your own crypto" is because this is a difficult subject matter, but is necessary if you're trying to build a properly secure cryptographic schema.

Are there courses (in Udacity/Coursera/etc..) you find more relevant? What specialities you think they should teaching instead?

Thanks for the list. Any chance for sharing the textbooks / recommended readings for each?

CIA, MI5 offer the best courses, plenty of paid for field work in interesting locations around the world. Just answer strange adverts, like Godolt is not coming, or be observant when out walking.

Any way of getting scholarships for these online degrees?

It all makes sense to me. You received Master's online, because it Cybersecurity. Hacking between you and the mentor would be much of fun.

edX has a bunch of upcoming online Master's degrees:


I wonder which schools will be offering the CS, EE, and Accounting Master's. Hopefully MIT, MIT, and UT-Austin, respectively. Does anyone know anything beyond what's already posted?

Man I would go back to get a brass rat! Wonder why Rensselaer Polytechnic Institute isn't on your list? Then again an online degree takes all the fun out of living in the "asshole of the universe" as the students allegedly dub Troy, NY.

Not to berate other schools but the ones I listed are top in their respective fields.

I completed this online MS InfoSec program in 2013 back when it cost $40k (out of state). Who do I talk to in order to get a refund for the difference since now Georgia Tech are effectively admitting they were price gouging me by $30k?

How was it?

I thought it was a fantastic and quite challenging program from a curriculum standpoint. From a logistical standpoint organizing group project work across time zones was difficult at times. Not being able to ask the professor follow-ups in real time is a bit of a bummer, but they were all very responsive via email. Best of all is being able to kick back with a beverage in comfy clothes to watch the lectures in the comfort of your home. Worst part was the prices. I double checked and it cost me exactly $55,080 in total. So at $10k this is an absolute steal. I just wish they'd refund me the difference now.

If it was so cheap to produce then why does it cost $10k?

Because someone figured that they will make the most profit at that price point taking costs into account. Keep in mind that there are also presumably per student costs for things like grading assignments, exams, virtual office hours, etc.

edit: Profit as institution, not just on this program, devaluing their in-person MS programs by charging very little for the online version would be a net negative in profit for example.

It was a joke

Good one.


Or move to Belgium/Germany where university education costs less than a thousand per year.. And you may enjoy a proper beer as a student.. Afterwards universal health insurance and unionized labour.. All debt free.. Cheers!

Maybe those German universities should get in on this online action! I could do an online masters from Germany just as easily as I do one in Georgia...

That's actually a very interesting idea for a country with socialized education wanting a large academic footprint in the world: also open up your classes to online and service the world. I don't know how expensive it might be, but it's got to be a lot cheaper per student for the university.

The universities in many European countries, are subsidized by the state because education is considered a human right. Having a proper set of teachers, brick and mortar universities, research, etc. costs a lot more than 1k/year per student. While allowing a 5-10% foreign students is good for the remaining 90% because culture, variety, etc., opening up the lectures to people who effectively do not pay taxes, makes no sense.

This is why in Bulgaria, Cz and other countries you see locals paying low rates while other Europeans paying private college fees.

> This is why in Bulgaria, Cz and other countries you see locals paying low rates while other Europeans paying private college fees.

That's incorrect. In EU you can't price-discriminate, based on nationality, regardless of the product or service you're offering. Of course, that applies to EU citizens only. Non-EU citizens do indeed pay higher university fees than locals.

As far as I can tell, the price here (Czechia) is based on language of the study programme not nationality. You can study in Czech for free even as a citizen of another EU (not sure about not-EU) country. I don't think it's particularly practical idea though. The fee for the english version was about 5-6k$ for academic year last time I checked.

In theory or in practice? :-) You're right (in theory), in practice I can assure, it happens.

Quick Google search: https://www.medicalstudyguide.com/bulgarian-university-tuiti...

Come to think of it, they probably discriminate on the basis of the program language: If you take the English course you have to pay high tuition fees, while if you take the local language program, you don't.

> In theory or in practice? :-) You're right (in theory), in practice I can assure, it happens.

If you're foreigner, haggling at a local flea market, of course it can happen. But in "official" places, this is simply not possible. And yes, that program discriminates based on language. If you take the version in Bulgarian, you'll pay same fees as locals, though you're usually forced to undergo a paid language course before enrolling.

As someone currently working my way through OMSCS, I imagine that the incremental cost of adding students is very low. I don't know exactly what ratio GT uses, but the only non-digital scaling they do is TAs. With more polishing of the online content and improvement of the auto-graders, they could probably push the ratio down pretty low. Just have to figure out how to do it without compromising the perceived quality of the education. And TAs aren't expensive in any case, I'm pretty sure they are compensated pretty poorly.

I'm led to believe their student-TA ratio is about 50:1.

The US$15/hr TA pay rate is absolute garbage - when I TAed as a 3rd year undergrad in Australia, I was paid double that.

Taken from an email I got last semester:

Working as a TA pays $15 per hour, distributed twice monthly based on submitted timesheets (alumni are salaried, however).

Well there's the language barrier but hey, for 10K I'll learn German also.

I imagine they would just teach it in English. I believe it's pretty standard for Western European students to learn English fluently. Maybe dual language? OMSCS gets a fair number of foreign students from around the world and only teaches in English AFAIK.

Dutch master's are all English for a while now. You don't get the same subsidies as EU residents, though, but it's also no more expensive than this online business and you get to have an actual classroom (for many that's a plus).

Most masters degree students are over the age of 21.

Also “move to Germany” isn’t really something you can just...do.

It is. People treat moving like some sort of impossibility -- apply for a student visa and go.

The quality of education you'll get there is questionable, though

I find in STEM that's not such an issue.

I mean I studied Physics at a good UK Uni but it isn't like one of the best in the world or anything.

Then I did Neuroinformatics at Edinburgh which is really competitive due to their reputation in AI etc.

It was fine, ultimately linear algebra etc. are the same wherever you learn it. I think in less objective and more qualitative fields the reputation of the University etc. counts a lot more.

As someone who's taken two linear algebra courses at different schools -- it's really not. When the expected level is familiarity with basic concepts vs. being prepared for a top-tier graduate degree program, the course content becomes very different. When this is aggregated over all of your courses, then you start to get a gigantic disparity.

>The quality of education you'll get there is questionable, though

Why would you think this? From my experience technical universities in Europe do a lot less hand holding and a lot more practical courses than American ones do.

Do you got a source on your quality statement? Many European universities do quite good in the rankings.

> Belgium/Germany where university education costs less than a thousand per year.

France too, and I suppose most(?) European countries. Many universities have international masters where classes are taught in English. Students come from everywhere, including the US. It's easy to get a student visa.

I know this is an online degree, but just going to throw out there that the states has better beer than Europe these days. And Atlanta is one of the new up and coming stars. My brother in law's brewery went home with a silver GABF medal last year.

super fast broadband.. super fast autobahns.. super good cars.. in Germany..

super fast broadband is something Germany is... not great at.

Can't speak about Germany, but we have 100Mb/s symmetric internet for about 5$/month at the Charles University student dorms here in Prague.

Technically, there is supposed to be some fairly brutal bandwidth sharing and the speed is not guaranteed in any way but I never had my speedtest drop under 90Mb/s

Universities are a bit of a different bag in general, and yes, I was specifically talking about Germany. There's large differences between European countries when it comes to internet speeds and costs.

The price and the healthcare ... Ok they got us here. But beer? The breadth and depth of beer in the US is insane now.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact