Let’s Stop Cutesy Names for Attacks
Orwell said it best in “Politics and the English Language,” and if you haven’t read him recently, you should. Abuse of the language has adverse effects on thought, and it’s true in security as well as politics. He gives some wretched examples and says of them:
Each of these passages has faults of its own, but, quite apart from avoidable ugliness, two qualities are common to all of them. The first is staleness of imagery; the other is lack of precision.
There are many examples of this in security terminology, but I’ll give a few.
- This is the term that has set me off on the present rant. The person who just used it in a meeting I’m in said “pharming” and then screwed up his face when he perceived a blank look or three and said, “Well, pharming is a name for a number of attacks, which are all DNS spoofing attacks.” I bit my tongue and did not say, “Then why didn’t you say ‘DNS attacks’?” and then sat down to this rant.
Pharming has both of the faults Orwell mentions. It’s stale (being a back-formation from phishing) and imprecise. It’s so imprecise that one can’t imagine what it is just from the name. I could complain about phishing itself, but it is at least poetic and suggestive of the actual criminal activity, and that particular spelling appeared as early as 1996 in an AOL password-stealing scam. However, the word forgery was created for this very case.
- Anything else that uses a ph instead of an f
- When Jon Fishman started a band with his college chums, it was cute. It is merely cutesy now. Please stop, unless it adds so much precision that the staleness is overcome.
- Social Engineering
- It’s a con job. One of its most notorious users at least had the grace to call it deception.
- Deception. Impersonation. Fraud.
Using cutesy terms is jargon at its worst. It creates a group of insiders and outsiders, where there insiders can wrap their minds around the problem and the outsiders can’t. We need to have security understood by non-experts. We need less jargon, not more.
This lack of clarity hurts people. The State of California recently defeated an proposed anti-pretexting law because the MPAA argued that there were legitimate uses for it. It’s harder to defend impersonation and fraud when it is called impersonation and fraud. Cutesiness is euphemism.
Don’t be a cutesy monkey. Use precise language. Use powerful language. Don’t let the bad guys get away with defending the indefensible, as Orwell put it, with euphemism. While you’re at it, read or re-read Orwell’s essay.
Photo “Emily and me kiss kiss da cutesy monkey” courtesy of Nanikas.