Fabulous Adventures In Coding
Eric Lippert is a principal developer on the C# compiler team. Learn more about Eric.
“Diet Dr. Pepper tastes more like regular Dr. Pepper.”
That was a previous advertising slogan for Diet Dr. Pepper, my personal favourite source of both caffeine and phenylalanine; I’m drinking it right now as I write this.
The present slogan is the brain-achingly oxymoronic “Diet Dr. Pepper: There’s Nothing Diet About It” – really? Seems like one ought to change the name then, if the name of one’s product is so misleading as to require its complete and utter disavowal in the slogan.
But that’s not what I want to talk about today. I actually want to talk about predicates.
The word “predicate” is one of those slippery words that has multiple technical meanings depending on the domain, all related but subtly different enough that one really ought to carefully call out how one is using the term.
What all of these things have in common is that a predicate is something into which you can "substitute" a value to obtain a result of either truth or falsity.
What on earth does this have to do with Diet Dr. Pepper tasting more like regular Dr. Pepper?
Is “tastes more like regular Dr. Pepper” actually a predicate? If it is then when it is applied to a subject it must produce a statement which can be classified as true or false. Let’s leave the subjective nature of taste aside for a moment; that’s not the fundamental logical problem here.
Rather, consider this utterance: “Diet Dr. Pepper tastes more like” Is “tastes more like” a predicate? Of course not. That utterance doesn’t make any sense. Tastes more like… what? This utterance cannot be classified as true or false for any subject, so the latter part of it cannot actually be a predicate.
But the same thing goes for “tastes more like regular Dr. Pepper”! Tastes more like regular Dr. Pepper… than what?
In order to actually be a predicate it needs more objects. For example, “Diet Dr. Pepper tastes more like regular Dr. Pepper than a pint of Guinness tastes like a mango lassi” is a statement which actually has a truth value. Perhaps a subjective and arguable truth value, but at least this sentence has the form of a statement with a subject and a real predicate now. The original slogan’s “predicate” isn’t really a predicate at all; one might think of it as a pseudopredicate.
Advertisers love pseudopredicates. Once you realize that they exist you see them all the time. Advertisers love them because they make no testable claim which could be shown to be false in a court of law. Rather, they rely on either the irrational belief that “more” anything means “better”, or upon your brain’s ability to fill in the rest of the objects which they intend you to infer.
In this particular case, I imagine that the crafters of this slogan intended your brain to fill in “Diet Dr. Pepper tastes more like regular Dr. Pepper than our previous formulation of Diet Dr. Pepper tasted like regular Dr. Pepper” – that is, they want to make the claim that the product has improved without making the admission that the previous formulation was less than delicious.
Or, perhaps they want you to fill in “Diet Dr. Pepper tastes more like regular Dr. Pepper than Diet Coke tastes like regular Coke” – that is, they want to assert that their product is superior to a competing product. This assertion is in my personal opinion true, but the Coca Cola company could potentially take issue with if stated baldly as an objective claim. By relying upon a pseudopredicate to make a slogan which actually is so malformed as to have no truth value at all, the copywriters duck these thorny issues. There are lots of ways that clever advertisers leverage our tendancies to "fill in the blanks" in order to sell products.
That’s not actually what I want to talk about today either. I actually want to talk about writing secure code.
What on earth does Diet Dr. Pepper tasting more like regular Dr. Pepper have to do with writing secure code?
The other day I got a question about the characteristics of a particular bit of source code obfuscation technology, which we shall call X; what the technology actually consists of and what the precise question was are irrelevant to this discussion.
I answered the question with a question; I asked why it was that the questioner wanted to use technology X. The answer was “To protect the source code”. Leave aside for the moment the fact that I could probably have deduced from the original query that the questioner was interested in protecting some resource. There’s a deeper problem here. In the utterance “technology X protects the source code”, is “protects the source code” a predicate, or a pseudopredicate?
It’s a pseudopredicate. There is an object missing. To make this a predicate, it needs to be something like “protects the source code from casual inspection and editing by snoopy people” – as it happens, this predicate was true for technology X. What I was rather worried about was that the questioner actually had in his head the predicate “protects the database administrator password that I’ve stuck into my source code from discovery and misuse by a determined and intelligent attacker”. That predicate happens to be utterly false for technology X. Because he was not actually stating a predicate that could be true or false of X I was unable to answer the guy's question about X.
I never, ever lock my car doors anymore. Why? I drive a soft-top convertible. One day I woke up to discover that someone had sliced open the top and unlocked the car. The two bucks in quarters I keep in the car for parking meters was a trivial loss compared to the hundreds my insurance company paid to get the top replaced and the hours of my time wasted in dealing with the situation. The locks are not a mitigation to that vulnerability at all! Locking my car doors makes it more prone to be damaged, not less.
I do, however, lock my house, to protect it against random people wandering in. However, the locks are hardly any mitigation to the vulnerability of the house to determined attack from a wily, hostile burglar. It would be foolish of me to say that “the locks protect my house” without mentioning the threat.
What I’m rambling on about here is this: the fitness of a particular security technology to mitigate a vulnerability can only be evaluated in the context of a stated threat against a stated resource. That’s because every security technology is designed to mitigate specific vulnerabilities to particular threats. When you’re evaluating the benefit of a particular security system, make sure that the predicates you are using to talk about the system are actually predicates, not pseudopredicates; state the threats.
Wow....I like Dr Pepper too, Eric, but that post was wild and covered far more tangents than any of your others! (...and that's no pseudopredicate!)
Suffice to say, the point was that someone misappropriated a technology to hide their bad system design and that fact was conveyed.
good reading :)
Old Spice High Endurance Body Wash proudly proclaims "3x clean guaranteed": http://www.amazon.com/gp/product/images/B000GR9OIQ/ref=dp_image_text_0?ie=UTF8&n=3760901&s=hpc
On the off day that I'm not thinking about code in the shower, and I happen notice that slogan, my head starts hurting...
On a slightly different tack, I was doing some work for an alarm monitoring company some time ago. Apparently if the alarm company calls the police on a false alarm they can be billed a hefty fee. Since false alarms are significantly more likely than real ones, when the alarm company got an incoming alarm, they delayed calling the police as long as possible, exhausting all other means of investigation. This was even true of the live voice alarms where the central station operators immediately says "the police have been dispatched" as part of their script! (The live voice operators were instructed to speak in a loud, aggressive voice but they occasionally had a hard time not laughing when they did.) In essence the alarm monitoring protects your house from slow intruders but not from fast ones!
Good post, I also enjoyed going back an seeing the Thucydides post. I've found that reading ancient books frequently humbles my modern mind.
FYI: Phenylketoneurics are people, phenylalanine are what they're allergic (psychopathic response, not histamine response) to. ;)
I expected you to say you'd actually come to talk about the draft.
Even a fully predicated version of the slogan -- e.g. "Diet Dr. Pepper tastes more like regular Dr. Pepper than Diet Coke tastes like regular Coke” -- is unassailable, because it makes a statement about something subjective. The Coca-Cola company could not prove that this statement is not true, because there is, as they say, no accounting for tastes. That's why advertisers like the word "best" -- it's a measure of opinion, not of fact.
More in keeping with your actual thesis, I'll put in a plug for Bruce Schneier's book "Beyond Fear," in which he brings this kind of analysis to security of all kinds (as you've done here). It's too bad that Schneier is best known for his writings about computer security, because that's a book that everyone should read, perhaps _especially_ people who don't deal with computers much or at all.
> Even a fully predicated version of the slogan -- e.g. "Diet Dr. Pepper tastes more like regular Dr. Pepper
> than Diet Coke tastes like regular Coke” -- is unassailable, because it makes a statement about something
> subjective. The Coca-Cola company could not prove that this statement is not true, because there is, as
> they say, no accounting for tastes
@Mike - surely the advertiser would be on shaky ground if they made explicit statements like that and only had "it's subjective" as a defence. For example, do you think Dr Pepper could get away with the following (subjectively true) slogan?
"Drink Dr Pepper, because Coke tastes like crap"
Anyway, this was a fun post to read. Thanks Eric!
Or how about "Coke tastes MORE like crap" - is that unassailable?
Someone on a forum I frequent once posted an (obfuscated) class and asked what string it contained.
The response inside 10 minutes rather shocked him.
He then tried a slightly improved set of options and made the string not directly embedded (building it in some convoluted way)
I skipped decompilation, attached a debugger and got the string out then in no time at all.
He realized the futility of this approach for anything other than casual introspection at that point.
You've been spiking the Dr. Peppers again, haven't you, Eric?
Seriously though, that was a nice setup for your discussion on predicates - seemed to be almost a non-technical post until you brought it back onto the usage of (spoken) predicates.
Related pseudo-predicates: "Structs perform better than classes" (and similar statements).
Just like the security pseudo-predicate, this requires a context - basically a series of operations (ideally running on a particular version of the framework/OS, on particular hardware - and in the face of other factors such as what else the system is doing).
Great elucidation of a tricky logic topic, Eric. I've had a similar problem for years, specifically people talking about "needs". People claim they need something, and I always react by saying "in order for what?"
"I need to eat" is only true "...in order to continue living", and it's this missing portion of the predicate that is assumed, taken for granted, etc. Needing to eat is trivial, though. What's scary is when people talk about business needs, software needs, etc.
However, when I bring up this "technicality", people look at me with a blank stare. So now I can REALLY confuse them by talking in terms of predicates. :) Thanks!
Thanks for the article...
What amused me was that I read the slogan as “Diet Dr. Pepper tastes more like regular Dr. Pepper. than regular Dr. Pepper”... :)
Listeners have an obligation to use common historical context to fill in the missing object of the pseudopredicate and construct the proper understanding with less words. The listener’s job is to choose the most obvious, or most relevant, or most recent object to fill in the pseudopredicate’s blank.
For example: “These cookies taste better”- If I had cookies with the person making this statement, I would assume “These cookies taste better than the last batch of cookies X made”. Or maybe X never made cookies, but we had shared cookies before, then I would assume “These cookies taste better than the last batch of cookies we shared”. Or maybe I do not remember any cookies in our common past, and then I would assume “These cookies taste better than the X we just finished eating”. Etc.
With the historical context in mind, and having a reasonable expectation of what contexts others have when receiving the same statement, I would assume “Diet Dr. Pepper tastes more like regular Dr. Pepper” to mean “Diet Dr. Pepper tastes more like regular Dr. Pepper than our previous formulation of Diet Dr. Pepper tasted like regular Dr. Pepper”. It seems obvious to me that the missing object is the one that is most similar to the subject; and that can only be a comparison between previous versions of Diet Dr. Pepper and Dr. Pepper. Furthermore, only the most recent Diet Dr. Pepper is most relevant. (comparing Dr. Pepper to Dr. Pepper is silly).
Why would anyone think that “Diet Dr. Pepper tastes more like regular Dr. Pepper”’s missing object is a comparison with any other family of objects? If you choose “…than Diet Coke tastes like regular Coke”, then what justifies bringing in whole new subject matter (eg. the Coke line of products)? I consider it disingenuous, on the listener’s part, to fill in the blanks with subjects the speaker never mentioned, or on subjects the listener had no history of sharing with that speaker.
The second half of your post demonstrates you exercised your listener’s obligation and correctly assumed “To protect the source code” to mean “To protect the source code from casual inspection and editing by snoopy people”. As the listener, you have the right to suspect the speaker of being deceptive and meaning something else, so you may want clarification; but the issue of deception is separate from the meaning of the words spoken, which are clear. As the listener you also have the right to suspect the speaker innocently misspoke, so you have the right to clarification; but this is an issue of uncovering the common context; questioning uncovers the speaker’s context to understand the meaning of their words.
In summary, communication requires both the listener and speaker to use context to understand the meaning of phrases, if only for the sake of communication efficiency. I do not dispute there may be deceptive or naïve speakers, and clarification is needed to weed out those entities. But I do dispute questioning the meaning of simple pseudopredicates, that really have only one interpretation by any reasonable listener. If you seriously demand all instances of “Diet Dr. Pepper tastes more like regular Dr. Pepper” to be replaced with “Diet Dr. Pepper tastes more like regular Dr. Pepper than our previous formulation of Diet Dr. Pepper tasted like regular Dr. Pepper”, then I think you are trying to make the world an uglier place with no real benefit.