Since arriving at Rice, my primary teaching responsibilities have been Comp527 (Computer Systems Security) and Comp314 (Applied Algorithms and Data Structures), taught in the fall and spring, respectively. Comp527 attracts from 10-20 students, usually half seniors and half graduate students. Comp314 is a required course for computer science majors, typically attracting 40 students, and is typically taken in the sophomore year.

Comp527 has evolved a good deal since I first taught it. Comp527 has always emphasized the practical over the theoretical. We do use formal specification and modelling tools, but ultimately the goal of the class is to teach students to have the good taste necessary to architect secure systems, properly, from scratch. In addition to wide-open final projects, I have tried a number of unusual course projects, including a smart card project made possible through the donation of equipment from Schlumberger. I had students first design a system intended to allow the purchase of soft drinks from a vending machine, using smart cards for the currency. I then swapped students' work with other students, allowing them to (gleefully) find the flaws in their classmates' designs and, conveniently, provide faster and more detailed feedback than a traditional grading process might provide. Most recently, I replaced this project with a home-made electronic voting system, where students were assigned first to be a corrupt developer of the system's fictional vendor, attempting to hide Trojan horse logic inside the voting machine. Next, students' projects were again swapped, putting the students in the role of an independent auditor. The results were both educational for the students and were interesting enough to publish in a popular IEEE security magazine.

Comp314 has been an integral, and somewhat controversial, part of the core computer science curriculum at Rice, starting well before I joined the department. Comp314 resulted from the historical merger of two separate courses, one focused on team programming projects, and the other focused on algorithms and data structures. This legacy remains in the course, with about half of the lectures focused on "theory" and half on "practical" software engineering. To freshen the course, we have redesigned all the in-class projects to have less drudgery and require serious algorithms and data structures. For example, rather than having the students implement a web browser, the traditional "hard" project, students now implement a genetic-algorithms-based image "breeding" program. Other projects emphasize graph traversal, text parsing, searching and indexing. Likewise, we have replaced the earlier "lead programmer / sub programmer" dichotomy with modern pair programming, significantly reducing the number of "flakey partner" complaints we have received. We likewise have removed C++, teaching in pure Java, allowing us to replace a week of lectures that concerned the C/C++ memory model with a week of lectures that discuss the concept of multithreaded programming and how Java's threading system operates. All of these changes allow Comp314 to be more focused on teaching concepts that programmers will need rather than language-specific skills that can always be learned if and when they are necessary. One of the most highly applauded changes we have made to Comp314 is having two guest lectures, typically one from an industry where formal software engineering methodologies are required (e.g., NASA) and one from a less formal industry (e.g., computer games). It's one thing for a professor to talk about the importance of planning in advance, but it's quite another for a game designer to talk about the "crunch time" prior to a major product launch and the attendant negative consequences on one's personal health.

I have also taught or co-taught several one-off seminar courses (e.g., Comp620), and have spoken as a guest lecturer in a number of courses both inside computer science and elsewhere on campus. I have spoken about copy protection technology to Chris Kelty's anthropology class, a computer ethics class at Duke, and annually for a Rice program that invites underprivileged high school students to visit our campus. I have spoken about electronic voting security in several venues, including a guest lecture for a government class at UT Austin. I have also taught tutorials at several week-long "summer schools." Most recently, I taught language-based security at an ACM-sponsored school on computer security in Poland in 2003.

My general philosophy, in everything I teach, has been to use exciting projects to motivate students. If students thinks a project is "cool" and brag to their friends about it, they will be more likely to spend additional time on the project, and, as a side effect, absorb the concepts behind the project. I have also been experimenting with a mix of teaching styles, doing some lectures with PowerPoint slides and others with in-class discussion formats. When I was at the ACM school in Poland, I saw several cryptographers giving far better lectures introducing cryptography than anything I had in my lecture notes. As a result, I redesigned six of my lectures around the slides of those experts. Unsurprisingly, I found student comprehension of cryptography was significantly higher than it had been previously. By continuously evolving my courses, redesigning and revamping the weak parts, I intend my courses to always stay current and engaging for my students.