A generation of amoral hackers?

Screen Shot 2016-03-27 at 17.05.22
The Mirror

I must admit, I chuckled when I saw the article by The Mirror, warning that a generation of “amoral and disruptive youngsters who use their skills to kick against society …with many using the skills they picked up in lessons”.

Anyone who has been in the classroom with a bunch of mixed-ability Y9 students, trying to encourage them to write/adapt a  program to switch on LEDs or play rock-paper-scissors, knows that classrooms aren’t exactly a hotbed of sedition.

However, I find myself in a genuine ethical dilemma when it comes to GCSE Computer Science.

Screen Shot 2016-03-27 at 17.24.26

The new OCR J276 specification includes specific references to online security. As expected you get some stuff on legislation (including data protection & computer misuse), references to anti-malware, firewalls, user access levels and passwords. You now also get mention of encryption, penetration testing and network forensics.

Encryption – no problem. It’s a little vague  but there are no specific mentions of algorithms (as you get at AS level) so I dare say we’ll look at the Caeser Cipher, probably Pigpen and a couple of others – moving up to the purpose of online encryption.

The interesting bit is the addition of penetration testing and network forensics. My experience in this area is pretty limited (I once cracked a neighbour’s WEP key just to see if I could, but that’s about it). Forensics; I suppose I could look at the logs on one of our servers or have a look at ownership of files in Linux but other than that I’m a bit stumped.

The one I’m pondering, though, is penetration testing (thankfully shortened to pen testing in common parlance – I can’t imagine the sniggering this is going to induce). The aim is to try and find vulnerabilities in a computer system. And the best way to teach about it (in general) is by doing it. So, I’ve been looking into methods and software to set this up in a classroom.

I could install Kali Linux on a Raspberry Pi and use it with a home-made LAN that is totally separate from the main network, or I could use the awesomely named MyLittlePwny (based on the PwnPi OS). With a little LAN built up of various Windows boxes, a spare (outdated) Mac and some Pis I suppose I could get the students to explore and experiment. But then I suddenly find myself drawn back to that article in the Mirror.

This year I’ve already had to intervene with some Y10 Computer Science students, one of whom thought it would be funny to copy a batch file that would delete/rename work in the user’s home directory and a couple of others who thought it would be fun to distribute it around the class. Do I really want to give those students links and hands-on experience with a more powerful arsenal?

Of course any lessons on these topics would need to be bookended (and interlaced) with discussions of morality, legislation and the difference between white-hat, grey-hat and black-hat hackers.

Screen Shot 2016-03-27 at 19.13.52.png
Top Secret

Another option is to make use of free online games (e.g. Hacker Experience or Slave Hack), maybe even looking at some paid-for desktop/mobile alternatives (e.g. the intriguing looking Top Secret, the assembly language simulation TIS-100, the retro hacking classic Uplink, its nephew Hacknet or the bizarre but engrossing looking Else Heart.Break()).

I’m not really sure what my conclusion is yet. I think that lessons in pen testing and identifying vulnerabilities in order to fix them are a good thing in principle. In practice, I’m not sure how akin it is to teaching self defence, only to find one of your students used their new skills to go and mug someone.

GCSE Computer Science specification roundup

Finally TPTB (Ofqual) have accredited the OCR GCSE specification for computer science. While this was inevitable, I didn’t want to review the specifications until they were all in.

So, here are my thoughts:

WJEC / Eduqas


I went to look at this first because I’m still intrigued by the online exam. Assessing programming skills in a timed environment is quite realistic and avoid the dirge of 20 hours of the kids staring at a screen and my having little opportunity to support them. The CA can become an exercise in grinding (akin to repeatedly carrying out a boring task to level up in a role playing game) and so I’ve always thought there should be something like the AQA A Level Comp 1 exam at GCSE, and WJEC are the only board to offer it.


It has to be Java and it has to be Greenfoot. The practical exam cannot be carried out in any other language or environment. Now I like Java, and I love Greenfoot. But I’m not sure it’s the right starting point for GCSE. There’s a lot of boilerplate and a lot of syntax (semi colons, curly braces, etc.) which VB, SmallBASIC, etc. and Python avoid. It also means you have to introduce object orientation (explicitly stated in the spec) – which is a big leap for a new programmer IMO.

More worryingly, the exam is in addition to, rather than instead of, the NEA. So you still get the 20 hour dirge on top.

The theory content explicitly states that students need to be able to use HTML. That, in itself, is not necessarily a bad idea, but it’s an extra language and set of syntax rules to learn on top of everything else.


At this point I’m out. A glance through the theory content looks broadly similar, but I want the practical exam to be instead of NEA, not in addition, and I don’t want to be forced into one environment – at least not if it’s an environment I’m not entirely comfortable with choosing.

Edexcel / Pearson


The specification is in line with the other offerings. Two written papers, one 20 hour NEA. The content is similar across all boards and is a notable step up from the previous incarnation (e.g. binary representation now needs to include sign & magnitude and twos compliment representation for negative integers). Reading the sample papers – this new course is going to be hard! But this is true for all boards.


The controlled assessment must be carried out without access to the Internet or a school intranet. So no extra help allowed, even if vetted internally. This is the most strict set of rules I’ve seen for this one. You can put copies of appropriate digital documents in home directories so I’m chilled out a little on my 4th reading of the spec.

You are also restricted to one board-set NEA task.

The mark scheme for the NEA gives 24 marks (40%) for implementation and 36 marks for analysis, design, testing, refining and evaluation. Systems lifecycle and consideration for data structures and for testing are important. But that sounds like a lot of emphasis on writing about programming with less than half about the actual programming.

The controlled assessment sample provided was quite vague (again, a common theme). This allows for creativity at the top end but very little support or scaffolding for those who might struggle.


Theory and exam-wise, it looks much of a muchness. The NEA also looks broadly in line (which is part of the point of the reboot), but the controls are extremely strict. I did find the exam papers looked fairly accessible.



AQA – you know where you are when reading the specification. It’s not the single most important aspect but I find the format of the document very easy to follow.

It’s also the exam board we are using at A Level, so there ought to be some good commonality between the two levels of specification. I always thought that the OCR GCSE legacy spec suited the AQA AS legacy spec extremely well.

Again, familiar content. This time no negative binary numbers, but you do have things like Huffman trees, which is something I will need to investigate myself before I’m ready to teach.

Internet access is allowed (implicitly) for the NEA. The only specific reference I could find was in section 5.2 (avoiding malpractice), which says that students must not copy directly from “the internet or other sources without acknowledgement”.

I’m not sure if this is a pro or a con – my current Y11s have had a really difficult time trying to avoid spoilers, or judge what is a spoiler, on their recent controlled assessment tasks. It’s certainly more open than the Edexcel approach, however.

The sample NEA task looked much more scaffolded than the Edexcel task which is a key issue for those students who need a bit more support and guidance.


Only 30 of the 80 NEA marks are for programming, the rest for analysis, design, testing, refinement and evaluation. That’s 37.5%, and I thought Edexcel’s 40% was low!

AQA’s interpretation of pseudocode looks more scary than Edexcel’s. Where Edexcel has lots of text-based output statements, AQA’s sample exam questions look like a sea of syntax that could well put students off.


Honestly… I think it’s close between Edexcel and AQA. I much prefer the AQA sample NEA task, but prefer the Edexcel exam papers. The theory content is similar, with some subtle differences but nothing that couldn’t be overcome with good planning from the outset.



It’s OCR. It’s Rob, Vinay and Ceredig – the team I’ve known off and on since 2010 (OK, it was George and Sean that I knew initially, but still…). It’s the team with a very supportive Facebook group that I’ve made extensive use of, and helped to take part in.

Edit to add: The support is a huge issue. Whether it is exam board support (the coursework consultancy is a great idea) or community support – having other centres nearby with the same questions and the opportunity to moderate both NEA and internal assessments is invaluable.

The new course is an iteration of the old one. I’m very familiar with the old one and have largely enjoyed it. The content has been ramped up here, as with elsewhere. Still no negative numbers here (unlike Edexcel), and not much that I’ve seen here and not elsewhere.

The NEA allows you a choice of 3 tasks each year, the only course to have this. So the students can choose the task that suits them best, or you can choose for them (more likely). The NEA also allows intranet access. This is implicit rather than explicit but I’m sure I’ve heard from Rob or Ceredig that this would be acceptable (within reason, of course). No Internet, but see above for comments on the rampant cheating that this might help to alleviate.

The NEA mark scheme award 20 / 40 (50%) of the marks for programming, and the rest for analysis, design, testing, refinement and evaluation. The highest ratio of doing to writing about doing that I’ve seen yet.

The NEA tasks are broken down in a similar way to the AQA offering, providing a little more clarity than the Edexcel vagueness but still with freedom to explore at the top end.


Edited: It’s OCR. Which might lull you (or me) into a false sense of doing what we have previously. For old hands like me who’ve been teaching the OCR spec since 2010 it is possible I will slip into teaching the same content – which would be a very bad thing as there is a definite shift.

OCR’s is the only spec that explicitly references SQL. I didn’t see anything in the sample exam papers but it’s definitely there in the specification. I don’t mind SQL, but given the choice of enforcing that students learn another set of syntax versus not doing so, I’m tempted to leave that until KS5.

The NEA mark scheme only offers 12 / 40 marks (30%) of the marks for programming. The lowest ratio of doing to writing about doing that I’ve seen.

Yes, that’s a contradiction to what I said above. There are 8 extra marks for ‘development’. Current OCR centres will be familiar with this section. It is kind of about doing and kind of about writing. And I didn’t see this quite as explicitly in the other specs. Going back it is there in the AQA spec (approx. half of the programming marks) – although there it is more about the summative description of what you have created rather than a narrative of how it was created. The Edexcel spec also focuses on the completed product with only a reference to screenshots demonstrating debugging skills.

In my experience the documenting of the development process is one of the most frustrating elements for the students. They want to be on and doing, not stopping to write it up as they go. And this leads to frustration and also to lost marks when actually they are very good programmers and problem solvers.

The chunked / scaffolded NEA tasks are not quite as chunked as the AQA sample assessment task I don’t think, though still clearer than Edexcel.


NEA (only 20% of outcome but a significant investment of time and enthusiasm) offers the most freedom and a fair amount of support as well as a familiar structure for the writeup.

The exam structure and presentation is largely familiar which is reassuring, but I would need to keep making sure I’m delivering the right content for the new spec and not the old one.


Overall Decision?

This is harder than I thought it would be.

I like the OCR team. I’m familiar with the OCR way of doing things and I like having the flexibility of choosing from 3 tasks each year. I like bullet-pointed, chunked programming tasks. I don’t need the Internet.


OCR still has the development section of NEA, which ought to be fine but is a drag. With AQA I can reduce the impact of that, keep my bullet points and still have freedom over how much the students can access online resources. Edexcel have made the NEA task description too vague and locked the rules down very tightly.

Exam wise I think I prefer Edexcel. Negative numbers aren’t so tricky and that was the only difference in theory I could find on a quick scan. The exam papers look relatively friendly and the pseudocode wasn’t as off-putting as AQA.

For me, it’s down to Edexcel vs OCR. With OCR I get more support and feel more comfortable with what is expected. With Edexcel I think there is the potential for a more prosperous pair of exams, though I do worry about the NEA.


Further thoughts

This new spec is going to be hard. Noticeably harder than the current spec. 2d arrays, subroutines (functions, procedures and libraries), specific network protocols to learn and more focus on writing accurate algorithms. I’m glad the NEA has dropped a lot, and this means we’ll have more time for exploration and learning instead of assessing and assessing, but next year is going to be a real challenge.

Spoilt for choice?

Your Vote Your Choice

Originally uploaded by alternatePhotography

A little over 2 years ago I managed to get my department onto the OCR GCSE Computing Pilot. Now, our first cohort is coming out the other side and with all the ‘kerfuffle’, a flood of exam boards (well, 2) have suddenly gone from saying “there’s no demand, it’s not worth it” to rushing out GCSE Computing specifications for first teaching from 2012.

My default position is to stick to what I know. I’ve spent 2 years creating resources and learning about how OCR wants me to tackle the specification, and how it wants the students to tackle it. But on the other hand, I don’t want to sit here out of habit and miss a better opportunity.

This morning I’ve had a good read through what AQA and Edexcel have to offer. And I think I’ll stick where I am. Not least because for an exam board to go from ‘no spec’ to a spec ready for submission to the DfE or Ofqual or whoever is doing the QCA’s job these days within a couple of months is a little bit rushed for my liking.


The AQA spec looks broadly similar, although the theory topics skip a lot of the software and binary representation stuff in favour of prototyping and testing and there are two programming controlled assessments which is a little more… up front than the OCR approach (in which the practical investigation has really turned into a programming task – although they were bullied into that by the (then) QCDA and I like that at least it’s something a bit different.

A key point for me is that in the summary marking criteria for the programming unit, the programming techniques used section gets 36 of the 63 marks – the next largest component being just 9 marks. Sounds ideal!

Until you read the detailed mark scheme, where you get those 36 marks for “discussion of most of the programming techniques” – death by writeup…

You actually get 9 marks for producing the code itself.


What can you say about Edexcel? In fairness, I moaned that AQA had probably rushed their specification out. Edexcel haven’t – because there isn’t even a draft to look at yet. There are some outline details – a 40% written exam, 35% practical exam and a 25% controlled assessment.

I must admit, I’m a fan of practical exams. They’re logistically more difficult, but they provide a more accurate reflection of a student’s ability than coursework and the focus switches to teaching and learning rather than doing and redoing.

That said, with options evening tomorrow, I don’t feel compelled to jump to a spec I haven’t read and I’ve not been a huge fan of Edexcel’s output in recent years (although I know many that have).

So at the moment I don’t feel that spoilt for choice. Competition is a good thing, and for centres coming at GCSE Computing for the first time either in 2012 or 2013 then perhaps the route is a little less cut and dried. For me, though. It’ll be another year at least with OCR.