Just in time for cyber awareness month a new word is entering semi common use. That word is ‘quishing’, another variant of phishing but this time talking about QR codes. You already know what this is, it doesn’t need explaining. We’ve been on this ride before, but this one is particularly irksome.
No doubt we will serve this up to the organisations we support and put a big ol’ tick in that compliance check box.
CyBuR AwaREeNe5s – DONE!
We’ve had smishing, and vishing and all sorts of whacky phrases to bolster our own egos. ‘Trust, but verify’, ‘identity is the new perimeter’, ‘security is everyone’s responsibility’, ‘people are the weakest link’, ‘security should be baked in, not bolt on’, ‘zero-trust’, ‘think like an attacker’ and a whole raft of other total non-sense. To lean into a colloquialism, it might be better if security practitioners were ‘baked’, then there might be some adequate level of introspection.
But this ‘quishing quandary’ did get me thinking. It obviously came from the word phishing, but where did that come from with its jaunty unconventional spelling?
There are some interesting points of historical note . . . if you weren’t already aware.
Well, it turns out that the term phishing came about in the 90’s and seems to take the ‘ph’ format from ‘phreaking’. This is a portmanteau of ‘phone’ and ‘freak’. Phreaking was a practice in the late 60’s and early 70’s of playing tones down a phone at certain frequencies to access functions on remote switches to get free long distance phone calls. The ‘ph’ as a substitution had arguably been used earlier with the use of ‘phat’ which was recorded in the early 60’s and probably earlier before the standardisation of spelling.
A point that has sunk into the common lore of ‘cyber history’ is that a promotional bosun’s whistle from Cap’n Crunch cereal created a perfect 2600MHz tone to exploit these long-distance switches and was the genesis of phreaking. One of the notable ‘phreaks’ even assumed the moniker ‘captain crunch’ as their pseudonym. Although, I’m not sure this era could be entirely blamed for cringe inducing hacker aliases. Subsequently the emergence of little blue boxes came about. Little blue boxes were used to achieve the tones to manipulate the phone network.
Some of the blue boxes were made by Steve Jobs and Steve Wozniak. Jobs had stated that without little blue boxes there would be no Apple. But before all that happened Wozniak and Jobs went on to create Breakout on the Atari 2600, a numerical synergy that would pique the interest the most avid of ‘Ickian’ conspiracy theorist!
Clearly there is some narrative resolution to Jobs and Wozniak starting out from hacking phones to making phones, possibly their greatest success. But it’s best not to romanticise criminality as the foundational basis of successful businesses (which seems to be a nasty proclivity in security circles). But this is something that happened and of some note.
Which leads me to my submission into the lexicon of security bullshit.
That entry is . . .
Phisting – the action of an end user device compromising a layer 8 egress, leading to a failure in confidentiality, and integrity while significantly increasing availability.
I am being flippant, but there is a point to all this. If we continue to indulge the deluge of fabricated words and phrases that come between us and those we are seeking to help, then, how does the continuous creation of these words move us forwards?
Words are important, they convey meaning. There is connotation, and association which elicits an emotional response in those that receive our words. We unironically say that ‘phishing is a form of social engineering’ without giving any regard for what social engineering actually is and what is effective in rapport building, creating, and maintaining relationships.
What do people think about security as a practice when we persist in creating words like ‘quishing’?
Maybe think about how you communicate with people during cyber awareness month.
Or, you can carry on telling people ‘don’t click the fucking link’ for another year . . .