Mike Walker gave a LangSec Workshop talk, “Persuasive Language for Language Security,” that Anatoly says is mainly for programmers but that I think is of wider interest, at least this part:
At DARPA the rules about language are simple; they’re named [Heilmeier]’s Catechism. Rule Number One goes like this:
“What are you trying to do? Articulate your objectives using absolutely no jargon.”
Absolutely no jargon. Jargon is the fundamental building block of our field. When we do our work well we get to create new jargon; we call this novelty. Here are some examples of real conversations I had in government. After a talk during which I was challenged to explain the difference between dynamic and symbolic execution, I was taken aside and counseled to stop using the term “concrete input” because construction references would confuse people.
I was informed that a network monitoring approach was so effective that it continually discovered zero-day malware. To this day I don’t know what that means.
While I caught these instances, the ones that haunt me are the ones that slipped by me unnoticed; conversations filled with Rorschach blots where words spoken by one party constructed a completely different meaning in the mind of the recipients. In a culture where everyone’s an expert, nobody can ask for clarification.
These are little stories about the imperfections of language, yet my
assertion is that language is imperfect and dangerous. The danger lies in the summoning power of words. Reagan said that “if you’re explaining, you’re losing” and truer words were never spoken. The power of that statement is that no one ever needs to explain it, which is telling. You’ll find that in places where power is aggregated and used, there is an enormous focus on the economy and precision of language. Your public words will be handed back to you filled not with objections to what you are saying but rather with objections to what people will think you said. A historical wasteland of blowback craters has taught the immune systems of government never to write a long letter when an empty one will do. This is an important lesson, and it would have served the hacker community well.
The point is not, of course, that no one should use jargon, which is indispensable for communication within a group. The point is that you need to learn how to avoid it when communicating with people outside the group, and this is a very hard lesson to learn and apply.
Anatoly ends his post by quoting this delightful anecdote, and I will follow his example:
I had the chance to talk to a lot of smart people; one of them was a young roboticist from MIT […] and I asked this young man what the word Cyber meant. He told me that cyber was a word used exclusively by people in government to let everyone know that they didn’t understand how computers worked. I think maybe he was on to something. I think this definition is still universally accepted in the hacker community.
Note that I have corrected Walker’s spelling of the name Heilmeier. He has his concerns as a programmer; I have mine as an editor.
“I was informed that a network monitoring approach was so effective that it continually discovered zero-day malware. To this day I don’t know what that means.”
… and no doubt he hasn’t discovered Google either. https://en.wikipedia.org/wiki/Zero-day_(computing)
I’m sure he’s well aware of that. He’s directing his scorn at the description of the network monitoring approach, not wondering what “zero-day” means.
As a programmer I too don’t know what “continually discovered zero-day malware” is intended to mean.
For one thing, “zero-day malware” is snappy jargon leading into further snappy, confusing jargon. I’ll ignore for a moment the curious expression “continually discovered”, which to me suggests a triviality. As it says in the WiPe article linked above by Graham Asher,
# In the jargon of computer security, “Day Zero” is the day on which the interested party (presumably the vendor of the targeted system) learns of the vulnerability. #
“The” interested party ? “The vendor” is only one of them, “the hacker” is another (possibly a competitive vendor). The WiPe article itself implies that: in the “Window of vulnerability” section, the times at which various events occur are discussed. t0 is defined as the time at which “the vulnerability is discovered (by anyone)”. Then we read:
# Note that t0 is not the same as Day Zero. For example, if a hacker is the first to discover (at t0) the vulnerability, the vendor might not learn of it until much later (on Day Zero). #
“Day Zero” is thus exclusively defined as the day on which that party (or those parties) whose interests can be harmed by the vulnerability, learn of that vulnerability. On the other hand, the hacker’s interests are harmed when the vulnerability is discovered before he can exploit it. Shall we call this “Day minus-one” ?
The kind of “Day Zero” breathlessly reported in the media is the kind where the vendor gets attacked. He learns that his defenses are inadequate on the day that he is successfully attacked. The other kind of “Day Zero” is the point at which the vendor discovers the vulnerability before being attacked
Well, big deal. A house gets broken into, thus informing the house owner that his house was not adequately secured against break-ins. Would “Day Zero” jargon help to understand what happened here ?
Let’s go back to “continually discovered zero-day malware”. As the WiPe article presents it, as we have seen, “Day Zero” is the day on which malware is discovered, but only by the party whose interests are (in the case of a successful attack), or could be, harmed. “Zero-day malware” is, by definition, the day on which that party discovers the malware or vulnerability. So zero-day malware is always, and continually, discovered on the day on which it is discovered. A triviality.
I’m guessing that what was meant is “network monitoring helps to discover malware before it can be activated”.
I wonder if Reagan would think his maxim would have commended itself to his illustrious predecessor while the latter was writing that a decent respect to the opinions of mankind requires that the future signatories of his document should declare the causes which impel them to the separation.
Reagan also said that one Republican should never criticize another Republican, which probably would have driven Mr. Third President nuts.
It is certainly true that jargon can be used to signal larger issues, especially when the terms are well along the path from jargon to cliché. For example, in the same way that using the word “cyber” can identify “people…who don’t understand how computers work”, any time a colleague starts talking about thinking “outside the box”, I know that’s not going to happen.
Reagan said that “if you’re explaining, you’re losing” and truer words were never spoken.
All teachers in the world should print this in large lettering and put it in the most prominent place in their classroom and point out to it as a response to any question ever asked.
@Stu, that’s a nice analysis. There are indeed many situations where malware can be active before the WP definition of Day Zero. But it does also say that “[u]p until that day, the vulnerability is known as a zero-day vulnerability” which is also how I understand it. Not very logical, but there you are.
The network monitoring guy may also have meant that his system has detected malware by its actions before signatures for it had been published — which is nice, but how often must that happen before “continually” is warranted? New exploits don’t come out that often, so either his network is being targeted by state-level actors (and he thinks he is winning(!)) or we’re talking months or years between events.
Thanks, Lars. By the way, I included “the hacker” as one of the interested parties not merely in order to be difficult, but because it accounts for the reality of “white-hat hackers”, those whose job is to hack against hackers.
Like Lars I read that as saying the network monitoring detected attacks that it had not been given specific signatures of. If that’s the intended meaning then I think the speaker is communicating okay even if they’re jargoning it up a bit. (This is expected behavior for any serious network monitoring.)
Obviously Reagan had a very specific context in mind: if you’re a politician, saying one thing, and then seemingly turning around and spending a lot of time explaining again and again why you didn’t mean what it seems you meant, but something more specific, then you’re probably going to lose your next election. Likewise, if your party seems like it squabbles a lot instead of getting things done, your whole party, yourself included, is probably going to lose the next election.
In many other situations, if you’re not explaining, you’re incompetent or evil or both. 😐
You do not explain how you arrived at your explanations. I assume this is not one of those many other situations, so that I need not explain my assumption.
You mean, like… history of science (or of philosophy or whatever)? No, that’s generally irrelevant, apart of course from being interesting as its own field of study.
I figured this piece would appeal to Stu.
David Marjanović –
Another way of putting it is “always attack, never defend.”
The idea is, if you explain, you are repeating your adversary’s position over and over. What will your listeners remember? if you move away and attack on a different point, your listeners are hearing your position, not your adversary’s.
“Always attack, never defend”.
One way of doing it is the rhetorical bait and switch. Claim something outrageous. When you’re criticized for that, claim being unfairly treated and attack your opponents for being against a reasonable goal. The reasonable goal is now epistemically linked to the (formerly) outrageous claim, and you own the field.
“I think mauve has the most RAM.”