Shostack + Friends Blog Archive

 

Let’s Stop Cutesy Names for Attacks

Kiss da cutesy monkey

Orwell said it best in “Politics and the English Language,” and if you haven’t read him recently, you should. Abuse of the language has adverse effects on thought, and it’s true in security as well as politics. He gives some wretched examples and says of them:

Each of these passages has faults of its own, but, quite apart from avoidable ugliness, two qualities are common to all of them. The first is staleness of imagery; the other is lack of precision.

There are many examples of this in security terminology, but I’ll give a few.

Pharming
This is the term that has set me off on the present rant. The person who just used it in a meeting I’m in said “pharming” and then screwed up his face when he perceived a blank look or three and said, “Well, pharming is a name for a number of attacks, which are all DNS spoofing attacks.” I bit my tongue and did not say, “Then why didn’t you say ‘DNS attacks’?” and then sat down to this rant.

Pharming has both of the faults Orwell mentions. It’s stale (being a back-formation from phishing) and imprecise. It’s so imprecise that one can’t imagine what it is just from the name. I could complain about phishing itself, but it is at least poetic and suggestive of the actual criminal activity, and that particular spelling appeared as early as 1996 in an AOL password-stealing scam. However, the word forgery was created for this very case.

Anything else that uses a ph instead of an f
When Jon Fishman started a band with his college chums, it was cute. It is merely cutesy now. Please stop, unless it adds so much precision that the staleness is overcome.

Social Engineering
It’s a con job. One of its most notorious users at least had the grace to call it deception.

Pretexting
Deception. Impersonation. Fraud.

Using cutesy terms is jargon at its worst. It creates a group of insiders and outsiders, where there insiders can wrap their minds around the problem and the outsiders can’t. We need to have security understood by non-experts. We need less jargon, not more.

This lack of clarity hurts people. The State of California recently defeated an proposed anti-pretexting law because the MPAA argued that there were legitimate uses for it. It’s harder to defend impersonation and fraud when it is called impersonation and fraud. Cutesiness is euphemism.

Don’t be a cutesy monkey. Use precise language. Use powerful language. Don’t let the bad guys get away with defending the indefensible, as Orwell put it, with euphemism. While you’re at it, read or re-read Orwell’s essay.

Photo “Emily and me kiss kiss da cutesy monkey” courtesy of Nanikas.

8 comments on "Let’s Stop Cutesy Names for Attacks"

  • Chris says:

    So, neologisms aren’t 7337? :^)

  • Culprit says:

    Language is an inadequate kludge for communicating ideas we have trapped in our individual minds.
    But it is all we have until we evolve selective telepathy or some such.
    Learning to use words to communicate without confusion should be every citizen’s duty.
    Newspeak-style word-play just allows ideas that are incongruent in everyone’s minds to coalesce together into some sort of mob-rage emotion-driven thoughtlessness.
    It is a way of stripping individual thought from people. Words lose their power, and the only power an individual has in a representativity society comes from words.
    Please use language well. Don’t dilute thought exchanges.

  • Mark Curphey says:

    A cartoon in your honor sir!

  • Mordaxus says:

    Chris, I was tempted to say that cutesiness is 1336, but it’s a relatively subtle remark.
    Thank you, Culprit, I couldn’t agree more.
    And thank you as well, Mark. I smiled broadly.

  • Justin Mason says:

    The neologism “pharming” is a particular pet hate of mine; it reeks of companies ruled by their marketing departments, rather than adequate technical knowledge.
    As I noted in http://taint.org/2005/08/06/002104a.html , it has no less than four separate meanings:
    1. genetically modified (transgenic) animals used to make human proteins that have medicinal value;
    2. ‘a malicious Web redirect, in which a person trying to reach a legitimate commercial site is sent to the phony site without his knowledge’ using DNS cache poisoning, according to Scott Chasin of MX Logic;
    3. social-engineered domain transfers from their registrars, according to ‘Green Armor Solutions’;
    4. a pop-up window that attempts to emulate a legit site’s input, used in a CSO Online article.
    What’s the point of creating new terms if we can’t even agree what they _mean_?!

  • Nik says:

    Agreed in spades… “Ph” should be banned 🙂

  • Here’s another reason you’re right. Imprecise can turn into actively misleading, even among people familiar with the subject.
    Over on Slashdot, hundreds of technologists and hobbyists saw the phrase “drive-by pharming” and assumed that since it said “drive-by” it must have something to do with wireless networking. Most of the discussion was off the rails (more than usual) as a result.
    Good communication is hard enough without deliberate sabotage by people trying to establish an in crowd by inventing obscure slang.

  • Elphaba says:

    I’ve been thinking about this post for some time now (obviously), and apparently so have other people I know because more than once I’ve heard ‘social engineering = fraud’ tossed around with disdain and disgust, like only an uneducated plebe would use the term social engineering anymore.
    But social engineering != fraud all of the time. Sometimes fraud is just fraud, like counterfeiting. And sometimes social engineering is just social engineering, like dressing nicely, smiling sincerely, and treating the ticketing agent like a human being so you stand out from the masses of annoying and frustrated travelers as a Nice Person That Should Be Upgraded To A Premium Seat Without Having To Ask. That isn’t fraud, that is understanding something about psychology and sociology that you apply in human interactions to help yourself come out ahead. Social engineering is a concept, a practice if you will, that can be used for malicious purposes, but in and of itself does not require lying, misleading, deception or fraud!
    I would suggest that saying ‘social engineering is a con job’ is an oversimplification that contributes to shallow thought by the masses. Like calling all of these populations:
    – people who find security vulnerabilities and report them
    – people who write POC code
    – people who reverse engineer security patches
    – people who write/release worms
    – people who steal your credit card number and passwords via keystroke loggers and a botnet
    a ‘hacker’. Too much jargon and exclusionary language is bad, but so is oversimplification. Should people be afraid of botherders? yes. Do they need to fear and revile security researchers? no. Well, not all of them anyway. (ha ha, it’s a joke people)
    BTW, welcome to the E.C., Mordaxus. I’ve already told Adam that I like having you around, hope you understand this is just healthy debate, not a personal attack.
    ~Elphie

Comments are closed.