April 19, 2014

avatar

On the emotions you feel when you do a security review

[I'm happy to introduce Dan Wallach, who will be blogging here from time to time. Dan is an Associate Professor of Computer Science at Rice University. He's a leading security expert who has done great work on several topics, including e-voting. – Ed]

I was one of the co-authors of the Hart InterCivic source code report, as part of California’s “top to bottom” analysis of its voting systems. As many Freedom to Tinker readers now know, we found problems. Lots of problems. I’ve done this sort of thing before, as have many others, and I realized that there’s a somewhat odd emotion that we all feel when we do it. You’re happy because you found how to break something, but you’re sad that the system is so poorly engineered. It’s a great accomplishment that we were able to discover so much, but it’s terrible that widely used systems have such easily exploitable vulnerabilities. What word can describe that good/bad emotion?

About a year ago, I started asking everybody I knew, speakers of any language, if their language had a word to describe that emotion. Somebody, somewhere, must have such a word. There are lots of close-but-no-cigar choices, such as:

Schadenfreude (German) – the pleasure you feel at somebody else’s pain (common example: laughing at Hollywood celebrities arrested for drunk driving)

Bathos (Greek) – mixing serious issues with humor (a common literary device)

Neither quite capture it. Finally, in a discussion with my colleague, Moshe Vardi, we came up with a Yiddish coinage that seems to do the trick: oy gevaldik.

Origin? Oy vey is a standard Yiddish expression of woe (similar to “oh boy”). Oy gevalt is a stronger version of the same expression (similar to “oh expletive” for milder expletives). Curiously, the Yiddish word for beautiful is gevaldik, which sounds similar to gevalt. Put it together, and you get oy gevaldik. Oh, beautiful. And that’s what security reviews are all about.

Comments

  1. Barry says:

    Bittersweet.

  2. Marcus says:

    I’m no expert on Yiddish, but since Yiddish has its roots in German and I’m a hobby linguist, I thought I’d share my knowledge.

    “gevalt” seems to come from Geman “Gewalt”: “force”, but also “violence”

    “gevaldik” from “gewaltig”: adjective for “Gewalt”, but means “enormous”, “immense”, “grand”… well just look it up at http://dict.leo.org/ende?search=gewaltig

  3. Dan Wallach says:

    Moshe Vardi adds:

    I did some further research on that. Gevald is litterally “horrible”.
    Gevaldik is literally “horribly”. “Gevaldik gut” means “horribly good”,
    which means “really, really good”. Then “Gevaldik gut” contracted to
    “Gevaldik”, which is how “horribly” became to mean “wonderful”.

  4. Computer Engineering says:

    Marcus, Leo is an excellent reference (I am a native German speaker).

    With almost 30 years of experience in software development, I think I know the feeling. Whenever I read “buffer overflows”, C and C++ cross my mind. Why? Why do we still have to deal with such programming languages? Why is this industry standard? Schadenfreude is not what I feel. More something like deep disappointment.

    Back to work… just fighting with a Java application that fails with “java.lang.OutOfMemoryError: Java heap space” (not my junk). Just wondering why Java-based web development produces the same feeling…

  5. James says:

    Almost totally off-topic, but make sure you listen to “Schadenfreude” from the Avenue Q soundtrack. Absolutely excellent work.

    Oh, and, uh, when I do a security review, I usually feel overwhelming anger, as I’m probably the one who will have to fix all the problems.

  6. Douglas Kastle says:

    For some strange reason I am reminded of the taunt Agent Smith makes to Neo in the first Matrix film when he has him held down on the train track :

    “Do you hear that, Mr. Anderson? That is the sound of inevitability.”

    The whole film makes a big point about when humans try to cross swords with machines humans usually fail. As a bug hunter for hardware designs some times you know, not believe just know, there are bugs in code, it is inevitable. There is some pleasure in finding them, it’s your job and what you get paid for, but that is small comfort some times especially when there is the possibility of doozies like the Pentium FDIV bug getting through.

    http://en.wikipedia.org/wiki/Pentium_FDIV_bug

    I always find it funny when a chip is about to be signed off there is usually a conversation that goes like this :

    Manager : Are you satisifed with the verification of this chip?
    Engineer : Yes, I believe we have covered every thing.
    Manager : Would you fly in a plane that depended on this chip to safely land?
    Engineer : Eh, maybe I have a look at that verification plan again…

  7. cm says:

    Computer Engineering: Based on my decade plus software engineering career I have come to believe that a tool will become, and remain, industry standard to the extent it allows to hack, tweak, and muddle one’s way through, and that sadly anything that requires sustained thought and consistency is commercially dead on arrival.

  8. Lawrence D'Oliveiro says:

    Maybe what we’re seeing is a market for lemons effect? One or two commenters there suggested that opening the source code could help mitigate the effect.

  9. kd says:

    Erm, we already have a word in English to describe that good/bad emotion – ambivalence, “the coexistence within an individual of positive and negative feelings toward the same person, object, or action, simultaneously drawing him or her in opposite directions”.

  10. Saad Kadhi says:

    In French, one can say “être partagé” which means (according to Larousse) : “être animé de tendances, de sentiments contradictoires”. Being “shared” between contradictory tendancies/emotions.

  11. tz says:

    The Freedom to Tinker … With election results

  12. john erickson says:

    I think we as engineers — which, generally, implies “humans” as well… — often feel mixed emotions, to varying degrees. For example, think of the Morton Thiokol engineers whose pre-launch assertions that the space shuttle Challenger should not be launched in extreme cold conditions were sadly proven correct, by way of a tragedy. There is a combination of vindication (at a technical level), of profound loss (of the astronauts, perhaps even the vehicle), of guilt (wondering whether they could have done more), of disgust (with the actions of Management).

  13. paul says:

    It’s probably an interesting political commentary that Yiddish would have turned “gewaltig”, which is a somewhat neutral reference to great power or force, into a mostly negative one…

    The english “ambivalence” doesn’t seem nearly strong enough to me. But there’s an epithet that used to be common in rock-climbing that might fit the bill: “dynamic”. The term originates in the fact that there are (at least) two kinds of climbing moves: static moves, in which the climber at all times has a stable contact with the rock (e.g. move one hand to a new hold, then the other hand); and dynamic moves, in which the climber is only in stable contact at the beginning and (it is fervently hoped) the end of the move. Dynamic moves are sometimes the only way to get from A to B, but they’re also the mostly likely to end in a fall. So depending on context, calling an action or an idea “dynamic” is either a heartfelt compliment or an expression of contempt. Or sometimes both.

  14. aeschylus says:

    paul> The english “ambivalence” doesn’t seem nearly strong enough to me.

    The problem with “ambivalence” is not weakness; it’s that it’s the wrong word.

    “Ambivalent” means embracing both sides of an issue. It doesn’t specify what sides they are, however. You can be ambivalent about what political party to vote for, how you feel about someone, whether you think the price of a stock will go up or down, which of two supervillains is more evil, etc. The person who suggested “ambivalent” for this wasn’t thinking clearly. The concept under discussion here is specific, and a generic word such as “ambivalence” doesn’t cut it.

    I don’t think much of “oy gevaldik” either.

  15. mythepythe says:

    The situation is surely a paradox: something like a
    ‘Eureka…Damnit’ moment. The word “contrariety” is a possibility.
    Defined as the mutual resistance of two things due to their divergent ends. Does this work for you?
    Mythepythe

  16. Dan Wallach says:

    “Contrariety” is the closest English word I’ve yet heard, although it seems to be a more general term for any sort of opposition/contrasting position rather than a specific term for the emotion that we tend to feel…

  17. paul says:

    Thesis… Antithesis…

  18. T says:

    In German slang, we have another saying that seems to fit much better than Schadenfreude, which doesn’t really express ambivalence about somebody else’s misfortune, just amusement. The idiom is “Ach du schoene Scheisse” (literally “Oh you beautiful shit”). This expresses marvel at how completely messed up the situation is, and conveys an odd satisfaction in discovering this. Suits the voting machine review fairly well.