"What does a computer security PhD student do all day?" is a pretty fair question, as I've seen from talking to other Gates scholars that being a PhD student can mean almost anything, depending on field of study, research group, and supervisor. Humanities PhD's read fairly obscure stuff they dig out of the library, some Biology PhD's spend most of their time setting up experiments for their advisor and collecting data.
Even within computer science, which is already a different beast, security is truly unique because one needs to understand broadly a huge number of fields to design security that actually works in the real world. A huge system like the internet or global finance can fail in thousands of ways, and security researchers need to understand all of them fairly well to do things right.
So, I'm forced to jump around pretty crazily from topic to topic. One day I'll be thinking about terrorism and bombs, the next about cryptographic protocols, and the next about the business model for sending spam. The security research group is appropriately diverse, about 10-20 people in various roles doing about 20 different projects simultaneously each. The best part is that we spend a huge amount of time brainstorming and discussing security topics with one another, which is the way to really learn. For me, that's the payoff in being a PhD student: I spend at least an hour a day over lunch learning security from some of the real experts in the field, plus seminars, "official" group meetings on Friday afternoons, and then there are usually afternoon teas. I haven't sat down yet with the group and not learned something.
I spend most of my time talking to people, getting ideas, then reading a lot about them. I've learned to walk around with a notepad, and every time I hear a term like "SCADA" which I didn't know, I pull up the relevant Wikipedia page next time I sit down. I constantly have a pretty big queue of topics I need to read, because they're all things a security PhD needs to know.
Here I am in my office. I'm here quite a lot, I don't spend much time in a laboratory despite the name. The days pass pretty quickly though, with some mixture of:
- Tracking the daily security news
- Reading research papers
- Learning about various other fields which intersect with security
- Discussing/brainstorming ideas
- Coding up demo attacks, poking around products looking for issues
- Going to seminars
- Writing up ideas and sharing them
- Supervising undergraduates and passing on the gift.
As it happened, I was quoted in this news story today, so hopefully I'm at least a little bit on the way...