It's All Greek to Me

I spent the Labor Day weekend with Euripides. No, he isn't a local celebrity, my fly fishing guide, or my neighbor's St. Bernard (that would be Zack, who is practically a fixture in front of one of the local coffee shops, and I mean fixture. We locals are used to stepping over Zack in pursuit of the morning cup of courage).  Euripides is, as I hope some readers know, the most tragic of the Greek tragedians, and has written some truly "open your wrists" plays, including Alkestis, Herakles, Hekabe and Hippolytos. If you want to be cheered up, do not read Euripides.


I confess that my Greek is so rusty (OK, my Greek was never really all that smooth) that I read Euripides in translation; otherwise I'd still be on page 3 of Herakles and knee deep in lexicons. Also, I'd probably be trying to remember the Greek for "Is it a participle, is it an adverb? Oh wait, it's an adjective!" I enjoyed the plays, if "enjoy" is the right word for reading literature that really has no hope of a happy ending. With Greek tragedy, you're lucky if anybody is left alive at the end of the first chorus who isn't a god and thus, immortal.


Still, Greek and Roman writers are the authors of the classics of Western literature. The idea of something being a classic is almost quaint now, though I note that St. John's College, a university in my home town (Annapolis, Maryland), still teaches by the Great Books method (e.g., you learn geometry by reading Euclid). I believe the classics are still the foundation for a liberal education, in the same way that buildings that Greeks and Romans built (e.g., the Parthenon and the Coliseum) are still standing hundreds of years later, while the New and Trendy (like my neighbor's flat-roofed house I wrote about earlier), aren't even surviving their 15 minutes of fame in Architectural Digest.


Unfortunately, like so many other things in this world, the classic has largely been abandoned in droves by people who think new and cool is everything. We lose something precious when we discard, willy-nilly, the old and timeless for the new and unproven-in-time, and the precious something we abandon may include both useful knowledge and cultural commonality. There was a time when learning Greek and Latin were expected parts of the education of a gentleman (or gentlewoman). Greek and Roman literature are at the heart of the canon of Western literature and thought. In particular, the reason "an educated person" read (and my opinion, still reads) classics is that these are largely the foundation of who we are in the West - our laws, our culture, our values.


Here's a quiz (and yes, some of these are security-relevant):


1) What is the origin of the phrase "Trojan horse"?

2) What is the origin of the word "cryptography"?

3) What do "i.e." and "e.g." stand for, and can you use each correctly in a sentence?

4) Who was Oedipus?

5) Who was Achilles?

6) Who was Epaminondas?

7) Why do we say "not one iota"?

8) Who was Nike?

9) What is the plural of data?

10) What is the origin of the phrase, "I sing of arms and the man"?


(Answers at the end.)


There are benefits to any society of having not merely some common standards for education, but some commonality in the content of what we learn. In the case of learning Greek and Latin, we in the West literally learn where we came from and, in a way, how to speak, whether French, Spanish, Italian or English, as both the structure and roots of so many Western languages are Latin and Greek. My parents made me take Latin in high school in part, because they felt it would increase my understanding and knowledge of English. (It did, indeed.) This isn't merely one of those generational suffering things the Greeks went on and on about in tragedy ("I had to suffer through this class as a kid, and so do you!").


Many smaller "societies" also have canons of education. Engineering, for example. Engineering degree programs are accredited, which means that, for example, civil engineering (CE) programs all contain some core "canon" that everyone who is a CE student studies. It's what makes civil engineers CEs and not, as I am, a Mechanical Engineer (ME). It also helps ensure that there is a core curriculum everyone learns, that helps enforce standards of learning and, indirectly, of conduct. The canon of civil engineering certainly includes classes on statics, structures and safety engineering, to ensure that civil engineers design structures that are safe and reliable. The techniques may change as building materials do, but the values of safety and security are reinforced through the canon of a core curriculum. (Note: There is an intersection between the canon of Western literature and the canon of engineering. Some engineering programs still require students to read Vitruvius' De Architectura. I had to read Plato's Republic in the engineering school at the University of Virginia, among other classics. One of the really cool things about UVA was that they expected their techies to be well read and well-rounded; hence, a humanities division within the engineering school.)


It would be nice to think that there is a canon of computer science to bind CS majors together culturally as well as imparting a timeless skill set, but it really does not exist. Universities, by and large, teach programming, but they don't teach the "canon of programming," that would include - among other things - secure programming practice. Security classes are not required if you are a CS major. Neither is secure programming practice or, as far as I know, ethics and standards of conduct.


If security is taught at all the focus is likely to be on the nuts and bolts of security (e.g., what authentication technologies are available and how does SSL work) instead of an approach to secure development that includes requirements, design, test and configuration. Not to mention, an understanding that the environment for software deployment is not and never was benign. "Assume an enemy" ought to be the first principle of computer programming. Properly done, secure coding would be a required class that students take early on, that they draw upon through every other class. (Just as civil engineers all take structures and statics at some point or they just don't graduate. Furthermore, you can't "forget' the lessons you learned in structures and statics when you progress to other classes, just as security isn't "some outside thing" that you take one class in and forget about.)


There are some bright security spots in the academic environs. For example, one professor I talked to at Stanford in the CS department - in a non-security class, no less - had his students "red team" and
blue team" their homework, to stress that any and all homework had to be unhackable. Go, Stanford! Part of your grade was your homework, but your grade was reduced if a classmate could hack it. As it should be.


I've talked a bit about our secure programming classes, why we give them, what they cover. I am not of the mind that we - "we" meaning the software industry - will ever be able to stop training our employees on secure programming practice, nor would I wish to, because security is a cultural value for vendors, or ought to be. That said, what really fries my bacon is the fact that we vendors collectively have to teach the basics of secure programming practice, because programmers (and we have some truly brilliant ones) just are not learning what should be part of "the CS canon" even at high falutin' universities. ("High falutin'" being the generally accepted term for "illustrious institutions of higher education.")


I am almost polemical about this topic, not merely because we have to teach "language basics," but because of the lack of a canon, we don't have the cultural values, the cultural commonality that the canon inspires. Just as the study of Greek and Latin, and the literature of Greece and Rome helps people understand Western civilization and the values it encompasses, we need a "canon of computer science" so that the values of programming are inculcated in universities. Programming languages come and go, but the principles of good, responsible coding are timeless.


I suppose I am known for being outspoken (as I am fond of saying, imagine how scary I would be with assertiveness training!) but occasionally, I am outspoken to good purpose. Several months ago, I was invited to speak in front of a group in Silicon Valley that included IT industry vendors and academics from Stanford (I will add that Stanford has what is generally acknowledged to be a very strong CS department). One of their professors almost fell off his chair when I - dare I say "got launched" - about having to teach remedial coding practice to otherwise smart developers. It isn't merely the money you spend teaching basics, it is the lack of cultural comprehension of why it matters. Teaching someone to validate input is easy. Teaching someone why they need to be rabid about doing it every single time - so that they internalize the importance of security - is hard. It's the ethics and values part of secure coding I really hate having to retrofit, not the technical bit.  As it says in Proverbs 22:6, "Train a child in the way he should go, and when he is old he will not turn from it."


I am pleased to say that my slight polemic had a positive effect, that you can read about it the editor's piece in CSO Magazine this month (see link below). A number of like-minded folks, including several universities and the vendor community, have banded together to try to come up with a standardized CS curriculum that includes secure programming practice. Woo-hoo! I know that I am not the first person to have complained publicly about the educational issue but I appreciate that others have taken it to heart and are acting on it. Thank you, all you participants in this effort, wheree'er you may be, and thank you, Bob Bragdon, for writing about it.


One of my colleagues in industry has an even more draconian (but necessary) suggestion for enforcing change upon universities. He had tried, unsuccessfully, to get a number of universities to change their curriculum to stress secure programming practice. He ran into quite a bit of resistance, including excuses as varied as "Our faculty are almost all tenured, and there's no chance that we can force change on them" to "Good idea, but it will take ten years to implement a curriculum change like that."


My response, and his: "That's just a bunch of hooey." He decided that one way to get people's attention was to ask Congress to tie research funds to universities to changing the computer science curriculum. I dare say if universities' research grants were held up, they might find the extra time or muster the will to change their curricula! Let's be fair to programmers: many are gifted, talented, hard-working, and it is not (all) their fault that most of them were never exposed to what should be part of the canon of programming.


In fact, this is a very good time to make it clear I am not developer bashing. After all, you can't (and I know this well) hand someone a surfboard and tell him to surf Ehukai Beach (also known as the Banzai Pipeline) with no skills, no training, and no clue how to do it. I can just about guarantee that the result will be a wipeout. A bad one. I know very few stupid CS graduates; I do see ignorance in the area of secure programming, because the topic was never taught to smart, hard-working and motivated CS majors. Everyone pays for it later that this is not taught in universities. We need to fix this. Now, not 10 years from now. Not merely so people learn the techniques of secure coding (we have tools that can suss out bad code) but the principles, the values, and the reasons for secure coding. We need a canon that says, "First, do no harm. Code safely. Code defensively." Engineers do not argue about whether buildings need safety factors. They just know.


There is a point beyond which, if you do not learn the basics, you will be educationally crippled.  To provide an example, both Greek and Latin have declined nouns, meaning you can tell by looking at the noun ending whether it is the subject, object, indirect object or is a possessive. In English, where word order dictates "case," "Dave licked the dog" is clearly different from "The dog licked Dave." In Greek or Latin, either the dog or Dave could show up any where (almost) in the sentence, but we'd know by looking at the ending of "dog," for example, whether the dog was the licker or the lick-ee.


In a Greek class I once took, one class participant (an adult) had to leave the class because she had never learned the parts of a sentence. She had no comprehension that the nominative (subject) case and the accusative (direct object) case would ever be different, or why.  In short, she was never going to be able to communicate in Greek, and I very much doubt she could communicate well in English. I daresay that - whatever this woman did for a living - she was going to run into problems because she had never learned the structure of language - any language. A basic hole in her education was going to cripple her ability to communicate well forever after unless she plugged that hole.


There's an old saw: "For want of a nail, the shoe was lost; for want of a shoe, the horse was lost. . ." culminating in "a kingdom was lost." It's too early to say the IT kingdom has been lost - it hasn't - but if we want our castles to be much less stormable, and not collapse in the first good windstorm, we need to change the way we train our knights in shining armor. We can start by requiring CS programs to include secure programming not merely as a single course, but integrated throughout the entire curricula.  Now.


Tempus neminem manet. (Time waits for no one.)


Answers to the quiz:


1) What is the origin of the phrase "Trojan horse"?


The Trojan horse was, of course, the ruse the Achaeans (Greeks) used to enter the city of Ilios (Troy), which they ultimately sacked and burned (a word for which is ekperthw (εκπερθω), one of many highly descriptive Greek verbs which means "to sack utterly, destroy"). The Greek genius who came up with the idea was, of course, the wily Odysseus. The story of the Trojan horse is part of Homer's Odyssey.  (Note: the movie Troy bears little or no resemblance to either the Iliad or the Odyssey; only Hollywood would have the hubris (or νβρις), another great Greek word, meaning "overweening pride") to rewrite Homer.)


In security weenie parlance, a Trojan horse is a piece of code that a malefactor tricks users into installing, that does something other than what users think it does, and probably not anything good. This is why it's called a Trojan horse and not a Trojan "I won a big windfall, betting on horses."


2) What is the origin of the word "cryptography"?


Cryptography is from the Greek words "cruptw" (κρνπτω) or "secret," and "graphw" (γραϑω), "to incise."  Cryptology is from "cruptw" plus "logos"  (λογος) or "word." See how logical Greek is?


3) What do "i.e." and "e.g." stand for, and can you use each correctly in a sentence?


(The misuse of i.e. and e.g. is one of my grammatical pet peeves. They simply are not that hard to use correctly if you know what each means.)


"I.e." is an abbreviation of the Latin id est  (meaning "that is"). "E.g." is an abbreviation of the Latin exempli gratia (meaning, "by way of example"). Examples of correct usage:


"Every surfer needs at least one longboard - i.e., a surfboard nine feet or more in length - in his quiver."


"Small, sectiony waves are usually best surfed with a shortboard, e.g., a 'fish' or a quad fin thruster."


(A definition of longboard is a board that is nine feet or longer, and hence, I used i.e. and not e.g. A fish is an example of a shortboard.)


4) Who was Oedipus?


Oedipus, in the famous tragedy by Sophocles, kills his father and marries his mother. And what makes this a tragedy, as if the above weren't enough, was that Oedipus' father, having been presented with a prophecy that his own son would kill him and marry his mother, tried to avert the prophecy by exposing his infant son (to wild animals). Unsuccessfully, as it turned out. One of the consistencies of Greek tragedy is you know that fate will inevitably catch up with you, in spades. Or in Thebes. 


5) Who was Achilles?


In Homer's Iliad, Achilles was the greatest of the Greek warriors. The first line of the Iliad can be translated "Sing, Goddess, of the destructive wrath of Achilles, Peleus' son. . ."  One of the coolnesses of Greek is that, since you know whether the noun is a subject, object, indirect object or possessive, you can put it anywhere you want in the sentence. Hence, in the original Greek, the word "menin" (μενιν) or "wrath" is the first word of the Iliad and thus assumes linguistic primacy. Ultimately, the Iliad is all about the wrath of Achilles. Cool, huh?


6) Who was Epaminondas?


Epaminondas was one of the greatest Greek generals of all time. He defeated the Spartans at the battle of Leuctra and freed the Spartan helots (slaves). One of the main reasons the Spartans were such good warriors is they had tons of slaves doing all the real work in Sparta.


7) Why do we say "not one iota"?


Iota is one of the vowels in the Greek alphabet. It often appears as a subscript (below other letters) in written Greek. It's easy to miss because it is below the line of text and hence, "not one iota." That said, the source for the phrase "not one iota" is most likely the New Testament:


"For assuredly, I say to you, till heaven and earth pass away, one jot or one tittle will by no means pass from the law till all is fulfilled." (Matthew 5:18)


The word "jot" is an English transliteration of "iota."


8) Who was Nike?

Nike, correctly pronounced "NEE-kuh," not "Nyke" or "NY-kee" in classical Greek, was the goddess of victory. She was not, as far as we know, the patron saint of basketball nor did she ever say, "Just do it."


9) What is the plural of data?


This is a trick question. Data is the plural of datum, "something given." Data is thus already plural!


10) What is the origin of the phrase, "I sing of arms and the man?"


This is the opening line (in translation) of Virgil's Aeneid.


For more information:


On the demise of a classical education and why it matters: Who Killed Homer? by Victor Davis Hanson  


On Epaminondas (and why he, GEN William T. Sherman and GEN George Patton, Jr. are arguably the three greatest generals of armies of liberation of all time): The Soul of Battle by Victor Davis Hanson.


A good modern translation of Euripides: Griefs Lessons: 4 Plays by Euripides, translated by Ann Carson at:


More on Vitruvius:


A really good translation of the Aeneid is by David West. If you are going to read the Aeneid in translation, this is the one to read:


Wikipedia entry on the Iliad:


Bob Bragdon's (editor of CSO Magazine) column on security education:


More on the meaning of data:


More on Euripides:


Dear Mary Ann, Greetings from the Heartland. Another interesting article. Always educational, with a nice flow. Some of your compatriot's blogs are very stilted. I'm sure their readers may appreciate the information, but for a non-technical person, some are hard reads. Back in 1971 when I was Asst. Admin. Officer at NAS Signonella, Sicily my CO, called out to me, "Drew, what are the Latin words that i.e. represent." I guess he wanted to use the the actual words rather than the acronym. I had to go to a dictionary to find out. I knew, how the acronym was used but didn't know, "id est", until then. If you haven't already, you should go to Sicily and see one of the plays at the Greek Ampitheater in Siracusa where I believe they were played before being brought to mainland Greece. One enjoyable evening I saw Eodipus Rex while drinking Sicilian wine and eating Nespole (Japanese Plums) and an assortment of local cheeses and bread, as the Greeks did 1000 years ago. Cheers, Drew

Posted by Drew Dodenhoff on October 07, 2006 at 07:59 AM PDT #

As a Greek and as a Civil Engineer I found your post really intersting. I 'll try and make time to read De Architectura. PS : the origin of the word Greece is in the Turkish language. The correct name of our land is Hellas.

Posted by Kostas Trevlopoulos on December 29, 2006 at 09:58 AM PST #

This is certainly a superb post. I've some sort of matching web site myself and so I will definately keep coming back to see more. thank you for this sort of a fun time. Pat

Posted by Jefferson Dischinger on August 05, 2010 at 10:26 AM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed



« April 2014