University of Amsterdam, Security and Network Engineering, Masters program

alternatively referred to as OS3

Was it worith it? ehhhhhhhhhhh.


Annoyingly, this was the only program I applied to that wanted me to do an entrance exam. It was fairly easy. I was also unaware you could actually take it multiple times?

Amusingly, Python skills are totally unnecessary for getting through the masters. Bash skills will serve you better.


I can't count. Approx 40 full time, 12 part time per year.

total ~11 non Dutch

3 burnouts.

Mandatory attendance.


The year is divided into 8 + 8 + 4 + 8 + 8 +4 weeks. 2 courses per block. The Dutch really don't like taking holidays.

The courses are broad-ish and if they go in depth, it's usually in the wrong places.

You usually have 4~6 weeks per project, total 6 projects, 4 of them at half time. It has to be more difficult than an evening of work, but not impossible to finish in ~2 weeks of actual work. And they want you to come up with ideas when you just started the course, when you don't know what it's about or what the interesting topics within the subject are.

1a Security of Systems and Networks

Your run of the mill crypto course

There's a group project in here, basically come up with anything security related, and mess around for a month. Our group decompiled a bluetooth peer to peer android app, Bridgefy, and found trust-on-every-use instead of the more traditional trust-on-first-use. No idea if/how the responsible disclosure went.

1b Classical Internet Applications

Ever wondered how DNS and Email worked? Ever thought about memorizing packet header fields?

Cram for the exam.

2a Large Systems

A lot of virtualization, a little on large systems.

Another pointless project, find something that's abstractly large and systemish. We measured Functions as a Service startup/performance. Use AWS Lambda for consistency, use GCP Functions for bonus speed, Do not touch Azure / Alibaba / IBM.

2b InterNetworking and Routing

Unless you're a protocol developer, pretty sure packet header fields for all the routing protocols are useless to you. Memorize IP, IPv6, VLAN, STP, RIP, OSPF, BGP.

Cram for the exam.

3 Research Project 1

Somtime in October/November you'll need to look through a list of not very interesting topics and pick which one you'll spend January on.

Mine had something to do with Named Data Networking, still not sure what the something was. The only semi decent idea is in the name itself, routing by a hierarchical tree of arbitrary length byte sequences. The fact is that it's impossible to efficiently implement, the existing implementation is hard to work with if you don't write C++, and there are a bunch of questionable choices, like caching without invalidation.

4a Cyber Crime and Forensics

Listen to someone droning on about corporate policy. Zone out.

Another poorly defined project. Everyone struggles to come up with something relevent. We poked at a Firefox fork with time travel debugging a bit.

4b Advanced Networking

Highlight of the year.

Learn about TCP, fiber networks, MPLS, WiFi. The lectures are fine.

Labs, the first few are measuring things which is ehh. Then there's one where you get 2 switches, 2 routers (HP-6600, Cisco 3750, Juniper J2320, part of a Juniper T1600), plus your own servers (x4), and the spec is to dream up and implement a network. We did eBPF from host to edge (eBGP as IGP), it was interesting, considering the old hardware we had to work around.

5a Offensive Technologies

note: working from home b/c COVID-19

Not a lot of lectures then they throw you into another project. I swear I learned more from a youtube video of a blackhat talk on the physical security of doors. Good luck coming up with ideas.

We did something related to application signing/whitelisting. No idea how this is offensive technology.

5b Advanced Security

note: working from home b/c COVID-19

Should be renamed wireless security. In scope: basic RF, Bluetooth, WiFi, SDR, GSM.

Flipped classroom, but not really. You get super short lectures, fiddle with hardware for a bit then present to cover the rest of the theory. Arbitrary grading scale.

6 RP2

note: working from home b/c COVID-19

The last project.

Mine is/was on how to abuse public STUN/TURN servers as proxies. Find a way to mush 2 or 3 libraries together and come up with some interesting "research questions"