Adrian and I are hard at work on our Building a Web Application Program series, and it led to an interesting discussion this morning on writing and writing styles. I’m fortunate that I’ve always been a pretty good writer; likely because I was a total bookworm as a kid. As with many things in life, if you are good at writing you often gain the opportunity to write more frequently. And the more you write, the better you write, and the more likely you are to develop and understand writing styles.

Today we talked about passive voice, passive language, and brevity. Brevity is something I always struggle with. Most professional writers I talk with agree that it is more difficult to write a shorter piece than a longer one. As a college student in history, I didn’t worry too much about that since professors usually set minimum page counts and I wrote to fill that space as much as to cover the topic. At Gartner, we targeted 3-5 pages with a max of 14,000 words for a normal research note. When I write my online articles and columns for people like Macworld and Dark Reading, they typically ask for 500-800 words. It often takes me more time to write shorter than longer since I’m forced to focus more on the meat.

I’ve become fascinated with the use of language now that I get paid to put my words on the page. How word and grammar choices affect the interpretation of my work, and audience receptiveness, as much or more than the content. For example, I find that passive voice makes you sound indecisive, confusing, and less authoritative. Passive voice is also closely tied to passive language in general- which although grammatically correct, is inefficient for communicating. For example, the first time I wrote this post I started with, “Adrian and I have been hard at work”. Now it reads, “Adrian and I are hard at work”. The language acts, it’s not acted upon. An example of passive voice is, “the risk of data loss is reduced by DLP”, as opposed to the active variant, “DLP reduces the risk of data loss”. One just sounds stronger and clearer.

I could spend all day talking about writing and writing styles. My personal goals in writing are to keep a conversational style, use active language, be direct, avoid bullshit, and focus on clarity and simplicity. Sometimes that means breaking traditional grammar rules which can be too constraining and force sacrifices of effective style choices. I’m not perfect (just ask our editor Chris), but it seems to work well, Even in my “pontification” posts I try and focus on the main points and reduce extraneous language. Although Gartner left me free (in terms of style) to write how I wanted, I’m a bit more of a taskmaster here at Securosis and require contributors to follow those guiding principles. You pay us (not that most of you pay us) to save you time and money by providing insight and advice to help you do your job, not to write crap that’s hard to understand.

And for those of you who write, and want to be successful, learn to say more with less, write to the correct audience, write with structure (don’t wander around), and always have a goal with each piece- be it an email, blog post, article, or novel. Develop your own writing style, rather than trying to channel someone else’s, and constantly critique your own work.

Now that I’ve wasted four paragraphs on writing with brevity, here is the week’s security summary:

Webcasts, Podcasts, Outside Writing, and Conferences:

• The print and online editions of Wired include a main feature article on Dan Kaminsky’s big DNS disclosure. I’m mentioned near the end of the article due to my involvement. Speaking of writing styles, Wired tends to focus on drama and personalities, and I was disappointed in how they portrayed some of what occurred. Dan comes across as some sort of mad/fringe hacker who almost decided to use the DNS vulnerability to take down banks, not a professional researcher who tried his best to handle an unusually sensitive bug. Anyway, you can judge for yourself, and I need to go buy another copy for my mom.
• I was interviewed at (IN)SECURE magazine. It’s a great publication, and I am excited to be included.
• On the Network Security Podcast this week, it’s just Martin and myself. At the end, we talk a fair bit about our home networks and my use of the Drobo.
• I wrote a TidBITS article on the Mac antivirus controversy this week. I was also interviewed about it by CNET and was in a hundred other articles, but my favorite take is by the Macalope. I’m happy to watch that game and drink that beer any time…
• I was interviewed on safe online holiday shopping for the Your Mac Life show.
• Yes, I was the total media whore this week. I also did a dozen interviews on the RSA/Microsoft partnership. Here’s Dark Reading, Information Week, CSO Magazine, and TechTarget/SearchSecurity.

Favorite Securosis Posts:

• Rich: I’d like to say my How to be An Analyst post, but for this week it has to be my take on the Microsoft/RSA deal. This one has serious long term implications.
• Adrian: The Business Justification for Web Application Security: It may not be sexy, but it is important.

Favorite Outside Posts:

• Adrian: This Rational Survivability post on ZoHo’s CloudSQL may not have been all that interesting to most, but after I read it, I must have spent half the day looking over the documentation, getting my API key and testing it out. This has a lot of ramifications for not only how we might provide data, how we implement SOA, and as Chris points out, security as well. More to come on this topic.
• Rich: The EFF guide for security researchers. Anyone who engages in any primary research absolutely must read this article. Although I do very little research of this type, I do follow some very strict personal guidelines to keep myself out of trouble (especially since I do a lot of wireless).

Top News and Posts:

• The EFF is asking for a DMCA exemption for unlocking mobile phones. One word- FTW!
• A Groklaw article on the chilling implications of the Lori Drew conviction. Basically, it turned violation of the terms of service of a website into a criminal offense. Odds are high this will be overturned, but if not it’s one of the few things I read this week that truly scare me (involving the online world, plenty scares me about the real world).
• It’s not really news, but it’s bad when I am more surprised by the fact there is a restaurant named Spicy Pickle than the fact that they suffered a data breach. They actually have customers? (Adrian submitted that one, I’ve been eating there for years and love the place -Rich).
• DoD computers under attack from Russia.
• Ivan Arce on Galileo and vulnerability disclosure. Ivan rocks.
• The Security Blogger’s Meetup approaches.
• CBS.com compromised and used to spread malware.

Blog Comment of the Week:

LonerVamp on The Asset Recovery/Phone Home Software Algorythm:
A phone home feature may be cute and make for a good story, but I wouldn’t put much value or dependence on it. Unless it is just a feature to turn on, I’d rather put my money elsewhere with better assurances like disk encryption. Something where I can even go so far as to write off the loss of the hardware but be reasonably assured the data is unrecoverable.
A question I would have: How does the software know the device is missing or not? Does it just always phone home? How does it connect back to the mothership? As an employee, I’d be a little annoyed that my laptop is basically ‘monitored’ even when in my rightful possession, but that’s me and I’m paranoid/tipsy/interested about this stuff. 🙂
Of course, if such a laptop fell into my hands, the first thing I’d do is format the drive, or even outright replace it. shrug

I feel bad I had to pick one; we got a ton of good comments on various posts this week.