Redirecting you to
Podcast Dec 13, 2022

Root Causes 261: Why I Don't Say Spoof

The word spoof is a security industry term used in the context of social engineering attacks. In this episode we explore the word's connotations in different walks of life and why its connotations may not serve us well when applied to security concerns.

  • Original Broadcast Date: December 13, 2022

Episode Transcript

Lightly edited for flow and brevity.

  • Tim Callan

    So, this is a Tim waxes philosophical episode and, in particular, I wanted to explain the reason – this might be a short episode – I want to explain the reason why I seldom use the word “spoof”. So, Jason, “spoof”. It’s an industry word. It’s an industry word. It’s a longtime industry word. It’s a PKI word. Explain to me what spoof means.

  • Jason Soroko

    It’s a word I find, I probably never use myself. It’s a word I read. Whenever I’m reading it, it is typically a technical journalist who is describing someone in the act of a phishing campaign who is pretending to be something other than what they are and they are therefore, spoofing someone else or something else.

  • Tim Callan

    From a strict dictionary definition, spoofing simply means directly and deliberately imitating another known entity. It’s a judgment free word.

    And in the world of PKI and trust models and Alice and Bob and all that stuff that you and I have been talking about for decades, this word spoof has been brought in when a digital entity, usually an email or a website, but it really could be any digital entity, pretends to be a different digital entity for purposes of deceiving. And as such, it’s fundamentally deceptive. There is a judgment associated with it. It’s dishonest. It’s an attack. But spoof itself is a neutral word. It just means an act and this is where I start to have the problem with it because in all walks of life except the world of online identity, threats, social engineering, Alice and Bob and all that stuff, in all the rest of the world, spoof actually has very positive connotations. If you listen to a weird Al Yankovic song, it’s a spoof of a popular song and we all have a good time and we laugh. And if you watch a funny movie, if you remember Airplane, that was a spoof of the movie Airport. And we all had a good time and we laughed. And for those of us who are old enough, we used to read Mad Magazine and it was full of all kinds of spoofs of other things that were popular in the media at the time, and we all had a good time and we laughed. So, if you talk to a non-security professional, spoof is a good thing. But if you talk to a security professional, spoof is a bad thing and I personally find this disconnection cognitively dissonant. I just find it jarring. When I read spoof, when I say spoof, I fear that we are underplaying the maliciousness of the activity because all of these other associations are in all of our minds.

  • Jason Soroko

    That’s an interesting thought, Tim. And I totally agree with you about the disconnect. The positive/negative disconnect. Really in the security, cybersecurity industry overall, or I should really, really say the marketing from some cybersecurity companies and some technical journalists, that word is absolutely meant as a trigger word to make you worried. You don’t want somebody spoofing you or something like that. You are exactly right, though. It is typically used as a very negative word.

  • Tim Callan

    It is. But I think if you are using the word spoof in your marketing, I think you are selling yourself short because I do believe that we’ve got these very deep engrained associations with it that are much more benign. Nobody thinks that weird Al Yankovic or Mad Magazine – I shouldn’t say nobody. There’s a lot of people in the world but very few people think that weird Al Yankovic or Mad Magazine are doing anything that’s deceptive or bad. And so, if this is what we are living with all the time in our offline world - - take a little thought experiment with me. If we think about two different sentences. I say, number one, this email that you may receive is engineered to spoof your bank. Or if I said, number two, this email that you received is engineered to counterfeit your bank. Which one sounds worse? Counterfeit. What’s worse? A spoof webpage or a counterfeit webpage?

  • Jason Soroko

    I think you hit on the really important point, Tim, which is there are better words to use and quite often, like the word counterfeit or the even the word disingenuous or the word imitate. These are far, far better words because they actually – they give you a much better idea. They give you a lot more information about what’s actually happening.

  • Tim Callan

    Fake is pretty good. I say fake a lot. I would rather say a fake website than a spoof website, for instance. And so, I say – I sometimes say spoof just because it is a word that has a specific meaning. It’s in vocabulary. So, don’t go back and listen to old episodes and send me angry emails telling me that I said spoof in Episode 173. Fine. But I say it very seldom and when I do say it, it’s almost kind of by accident. It’s just sort of because I read it enough that it accidentally comes out of my mouth. It’s a word that I think in the context of security I almost never say specifically or explicitly or intentionally because I do fear that when we use this word what we are doing is we are subtly and probably unintentionally downgrading the severity of that particular aspect of the attack. And I am not sure that we are doing ourselves favors if we choose vocabulary that is going to alter the severity or importance of our perception of a particular aspect of what we are doing.

    Again, I understand. If you look at the dictionary, it’s a neutral word. But I think that in the real-world usage of a modern 21st century westerner, it is not a neutral word. And so, that’s always bothered me and so, I’ve done a lot of writing and speaking and presenting and things over the years in this particular world and category and it’s just a word I don’t like, and I mostly don’t use.

  • Jason Soroko

    To the average person listening and for those of you who are just workers in the IT industry – whatever – I guess the suggestion is don’t be tempted to use the word. Use something else.

  • Tim Callan

    Or do what you want. I mean it’s ok.

  • Jason Soroko

    Typically, the other word be better.

  • Tim Callan

    Like if you want to say spoof, you can say spoof. I’m explaining the reason that I think the word is subtly misleading and what you said earlier I like, Jay, which is there are better words. There are words that don’t have this problem. Counterfeit is a good one. Fake is a good one and I tend to use those words when I’m thinking. When I’m being thoughtful about what I’m saying and when I’m writing articles and things, I stay away from the word spoof because it is – and again, somebody is gonna find an article I published in 2006 that says spoof and tell me I’m a liar – but in general I try to stay away from this and that’s just because it’s what I said. I just think it masks and downplays a little bit of this particular malicious activity that’s going on and it is fundamentally malicious, and we don’t want to lose site of that.

  • Jason Soroko

    Tim, the only problem I’ve got right now is that I know exactly who weird Al Yankovic is and I read a lot of Mad Magazine and all that makes me feel is - - That just tells me how old we both are.

  • Tim Callan

    Absolutely. Although weird Al is still going. Good on you, Al. Keep going. Love you guy.

    So, that’s it. Short and sweet but it’s something that thought I would get out there into the dialogue because it’s something I’ve felt for a long time.

  • Jason Soroko

    Use good words, folks. I tell you, in the cybersecurity industry and especially when we get into something as hardcore as even PKI, I gotta tell you, words are important. Tim and I deal with words all the time because we are kind of communicators within the industry and within the company and I gotta tell you, modern marketing and some of the technical journalism there are definitely some awesome, awesome journalists out there who don’t commit these errors, but some folks who don’t pay as much attention, I gotta say, Tim, I agree with you on thinking about the words because they are important because they help us define how we think about it and they definitely help us to define how people who are less experienced who need help and look to us for leadership on this think about it.

  • Tim Callan

    Words certainly do have some power and, I want to be clear. I don’t want to be going so far as to claim that I’m calling out anybody who decides to use the word spoof. I’m explaining why I think it’s problematic and if other people decide they agree with my rationale, then they can also agree with my vocabulary decisions. I wouldn’t be aggressive enough to claim that somebody using spoof in this context is doing it wrong. I just think it has the wrong tone. That’s all.

  • Jason Soroko

    Then I’ll be the one aggressive. Just kidding. No, we hadn’t even brought up this topic together before we started the podcast, Tim, so I didn’t know what you were gonna talk about, but I actually found myself feeling really strong about it once you mentioned it. So, there you go.