Home link Books link Press link Security link Briefings link

Published in ACM SIGSAC Review, Vol. 5, No. 1, Winter 1987.

CONAN AND THE JARGONAUTS1

Bill Neugent
Heidelberg, West Germany2

Abstract: Sticks and stones might break our bones, but words will bring our vengeance.

INTRODUCTION

Words. Some of my favorites are contradictions in terms, which have been popular since Groucho Marks noted the inherent contradiction in “military intelligence.” Since then, George Will has noted a similar problem with “family vacation.” There are many other examples of this phenomenon, such as “civil servant” and “new improved.” Our profession has surpassed everyone, however. Unwilling to stop at “operating system,” we have gone on to the definitive limit of the genre: “computer security.”

In our profession, the main risk we run by speaking out is that someone might be listening. Fortunately, this is a minor risk. For that very reason, we as security consultants should focus on inordinate amount of attention on it. Furthermore, since we are specialists, we cannot focus on the entire picture. Instead, we must focus on that aspect that we happen to find the most intriguing. At the moment, I find the topic of computer security jargon to be intriguing. So that’s what this article is about.

Bill and Bob

Bill and Bob

Bill shows brother Bob how to
dress and act like a consultant;
Bob says he’d rather go fishing.

THE STATE OF JARGON IN OUR PROFESSION

It is said that one mark of a profession’s growth is the rate at which it creates new words (or improves old ones). On that score, we are in an adolescent spurt. One excellent source seems to be the venerable Donn Parker. I don’t know if Donn coins or collects terms, but I believe it was he who gave us such gems as “data diddling” and “salami techniques.” (1) One advantage of these terms is their suitability for adaptation:

Bo Diddling. “Singing” about one’s exploits.

Baloney Techniques. Approaches used by security consultants after rational arguments prove unsuccessful.

Recently some pretty interesting words were defined by the National (soon to become Galactic) Computer Security Center. (2) Their unique glossary succeeds in not only informing, but also entertaining readers through the introduction of such words as bagbiter, brain-damaged, cracker, snarf, and (perhaps the funniest) trusted. Though these words were not enshrined in The Hackers Handbook, their endorsement by The Center is enough for me. (3)

While these new words are entertaining, I must admit that I still feel an attachment to some of the more traditional terms from the days before criminals discovered computers. One example is “bad bag,” which is a wrapped garment package with a false bottom to facilitate shoplifting. (4) This term predates the more familiar “storage channel.” Another is “pencil.” A pencil is an accountant or lawyer who (often unwittingly) serves as the “front” man for a dubious enterprise. (5) My personal favorite is “attitude arrest,” which is an “arrest made by a law-enforcement officer because he or she does not like the attitude of the person arrested.” (6)

One of our words serves an important though little known functional purpose. That word is “accreditation.” Lately the popularity of computer security has brought many mountebanks to our profession. Many of these people simply do not have the mental capacity required for computer security work. Fortunately, the word “accreditation” gives us a simple litmus test--a shibboleth--to weed out such impostors. You can even test yourself in the privacy of your home. Simply say the word aloud. If the sound you hear is “accredidation,” we forthwith dismisseth thy puerile prestidigitation (unless you can say that aloud).

One problem with our jargon is that so much of it is not self evident. How could newcomers possibly know what we mean by “*-property?” Furthermore, as though to intentionally trip them up, we persist in mispronouncing it as “star property,” when any grammar school student can readily see that it should be “asterisk property.” Fortunately, not all of our words are so devoid of helpful clues. For example, “mandatory” and “discretionary” access control are clear terms, founded on Well Understood words. Newcomers are immediately comfortable with these terms; that is, until baptized with the actual meanings. Until such baptisms are performed, newcomers should be followed closely by someone with a blooper scooper.

Youths John, Bob, and Bill, with
William Cardinal (Bill’s great grandfather)
and Ubald Ravenelle (Bill’s grandfather)

Youths John, Bob, and Bill, with William Cardinal (Bill's great grandfather) and Ubald Ravenelle (Bill's grandfather)

New Beginning? New End is what I’d call it.
This new generation ...

I think our jargon is getting out of hand. It’s time we put common sense back into our definitions. Therefore, I propose the following section as a New Beginning for our troubled vocabulary.3

REPAIRED DEFINITIONS

Access Control Mechanism. The key to the door of the building where the computer is located.

Algorithm. A means of contraception practiced by alligators.

Asynchronous Attack. An attack that doesn’t go according to plan.

Authenticator. Something you need to borrow before you can use the system.

Automatic Rejection. A phenomenon that plagues many consultants’ products and social advances.

Ciphertext. Documentation written by a programmer.

Clearance. Height.

Correctness. A property exhibited only by the British aristocracy, and then only after they have become properly engaged to be married.

Cryptanalysis. A form of archaeological research, sometimes associated with necromancy.

Denial of Service. A goal sought by many restaurants, but already achieved by all gas stations.4

DES. An encryption algorithm that has been:

Weakened by the National Security Agency (NSA) so that they can crack it.

Found to be still too difficult for NSA to crack.

Criticized by NSA as being too easy to crack.5

Discretionary Access Control. An access control rule that you might or might not follow, depending on your mood.

Downgrade. To speak of someone who is known not to be within hearing range.

End-to-End Encryption. Technology that gives you a code in your node.

Graceful Degradation. A state or condition typically sought during lonely evenings at professional conferences.

Hierarchical Decomposition. That portion of a system’s life that begins immediately after initial operation.

Information Security. The function of refusing to confirm or deny reports in newspapers and Aviation magazines.

Logic Bombs. Software.

Mandatory Access Control. An access control rule that you must follow, but only if you choose to accept the rule.

Multics. A product developed to demonstrate the commercial viability of secure operating systems.

Need-to-Know. Based on common usage, the inalienable right of an individual to access all data classified at or below the level of his clearance. Synonymous with Want-to-Know.

Penetration. When a customer finally “sees through” the security consultant.

Periods Processing. One of many types of symbolic processing done by a word processor (e.g., commas processing).

Reference Monitor. Librarian.

Sanitization. A function required after a consultant has departed a working area.

Scavenging. When a consultant searches for new customers in a place that is below his social level.

Security Architecture. That aspect of a structure that has been created by a security consultant and that leaves ordinary mortals awestruck.6

Security Guard. A person who sits beside the operator and carries a shotgun.

Security Model. A decorative feature added to product advertisements to increase sales.

Security Policy. A set of impressive-sounding, no-nonsense rules, created to distract attention from actual operating procedures.

Simple Security Condition. A security condition that has been reduced in complexity so that customers can understand it.7

Spoof. To emit sounds by first filling one’s mouth with air until one’s cheeks are puffed out, and then clapping one’s hands over both cheeks simultaneously. This is one portion of the secret security consultant handshake.

System High. A drug-like state in which programmers develop security software.

Trojan Horse. A horse that has been dead for over 3,000 years.

Trusted Process. A process that has cleverly positioned itself for the perfect heist.

Turkey System. One whose security defenses grind it to a halt as soon as you turn the key.

UNIX. A class of systems that have been altered.

USER ID. That part of a user’s psyche that makes security controls futile.

Front row: Jackie Coyle, Dick Grebe, Bill, and Bob; back row: groupies

Front row: Jackie Coyle, Dick Grebe, Bill, and Bob; back row: groupies

The propeller-stick portion of the
secret security consultant handshake

Vulnerability Assessment. The consultant’s estimate of how much a customer might spend on security analysis.

Write Down. To make a note of.

Write Up. Similar to Write Down, except that you usually need to use a pencil rather than a pen. This has advantages in that it can be easier to erase than defend some opinions.

*-Property. In modern usage, the criterion that determines suitability for upper management.

CONCLUSION

I don’t believe that our jargon results from an attempt to intimidate customers or to make our work seem more complex than it is. We don’t mean badly. In fact, usually we don’t mean anything. That is precisely why jargon is so useful.

Furthermore, psychological studies show that there can be advantages to including jargon in reports. For example, recent studies of grading practices in English Composition classes show that students who use bigger words are more likely not only to receive higher grades, but also to be Oriental.8

Lest I be accused of propheteering, let me reassure you that I see no dire consequences for society as a result of computer security jargon. Actually, I think computers themselves will ultimately be shown to have been just a transient affectation, and in the spectrum of human achievement will prove to have been irrelevant.9 Computer jargon will be no more important. Indeed, that is why this paper was written. We consultants must address such seemingly trivial topics for the same reason we recommend placing computer safeguards in areas where criminals are least apt to find them. People with our abilities are not hired to parrot the obvious. To do so would be to insult the competence of our customers. Rather, we are expected to examine those perspectives that are complex, arcane, and, yes, profound. Our role is not to dwell in the mundane, but to seek out the singularity; not to wallow in the practical, but to rise to the philosophical. Thereby is society enlightened. Thereby are we all greatly enriched.

FOOTNOTES

1. The reference is to Conan The Security Consultant. Throughout this paper superscript numbers refer to footnotes and parenthetical numbers refer to references.

2. The author (an American working in Europe) is a computer security consultant who believes that our customers and our profession are best served when we don’t take ourselves too seriously. Shortcomings in this paper are not the fault of the author, but of hereditary and environmental forces beyond his control.

3. I would have included a few more definitions, but Parnas’s Strategic Defense Initiative (SDI) arguments convinced me that the task was impossible.

4. This definition has not been formally verified.

5. At least one well-known DES critic believes that these three changes of direction represent three points in a longer message that NSA is transmitting via covert channel to an alien race.

6 Recent architectures show evolution from Gothic to Baroque forms.

7. At this point the condition is no longer of much use to the consultant.

8. The latter finding raises intriguing questions about whether use of bigger words might actually cause people to become Oriental. Further research is needed in this area.

9. Or, if not irrelevant, maybe a hippopotamus.

REFERENCES

1. Parker, Donn B. Computer Security Management, Reston Publishing Company, Inc., 1981.

2. COMPUSECese Computer Security Glossary, NCSC-WA-00l-85, National Computer Security Center, 1 October 1985.

3. Cornwall, Hugo, The Hackers Handbook, Century Communications, 1985.

4. Jekel, Pamela L., The Perfect Crime and How to Commit It, Paladin Press, 1982.

5. Santoro, Victor, The Rip-Off Book, Loompanics Unlimited, 1984.

6. DeSola, Ralph, Crime Dictionary, Facts On File, Inc., 1982.

ACM COPYRIGHT NOTICE. Copyright © 1987 by the Association for Computing Machinery, Inc. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from Publications Dept, ACM Inc., fax +1 (212) 869-0481, or permissions@acm.org. This copy is posted by permission of ACM and may not be redistributed.

www.TaleCatcher.com

Updated: 20-Oct-2005