I guess this is the distinction. I completely agree with "highly spoofable" - I'd even go so far as to call it eminently spoofable. But, if risk = vulnerability * (threat / likelihood - as a decimal number no greater than 1) - any number times 0 is 0.
SMS spoofing/cloning are non-zero risk, even for folks who celebrated a holiday yesterday - but, how do we communicate that to the average user in a way that gets their attention, but isn't so catastrophic that it fades into the background noise of "everything is going to get you eventually"?
This is a genuine question I've had, as a security-conscious developer, for several years. The vulnerabilities are real - security professionals can provide chapter-and-verse for that. Communicating the threat, though, is where the industry comes up short. "This is like bathroom graffiti!" doesn't land with most folks. IOW - if the given is "these ignorant users believe their data is not at risk" - do you have ideas of how we can convince them that they're wrong?
What I've done, up to this point in my career, is make my stuff as secure as possible. I'd love an out-of-the-box take, though, that breaks through the tech-bubble noise and convinces people not to panic, but to actually consider their risk and adjust their behavior. :)
Daniel J. Summers ~ East TN, USA
npub1za…g6q06
2025-07-06 00:38:23 UTC
in reply to nevent1q…wwn0
Author Public Key
npub1za0u4ztucv9zdnvt2p2jujjtgtjvc3hktq23ptld957fq25kslmssg6q06Seen on
wss://relay.momostr.pinkPublished at
2025-07-06 00:38:23 UTCEvent JSON
{
"id": "3507bf14c1d47adbb568d3b63fb1facad184f61af3a607195eb09acc8960f378",
"pubkey": "175fca897cc30a26cd8b50552e4a4b42e4cc46f6581510afed2d3c902a9687f7",
"created_at": 1751762303,
"kind": 1,
"tags": [
[
"e",
"751ab2775b8215422e877a7d38f614a4bcef156818e65df29913356a8dbe6c22",
"",
"root",
"175fca897cc30a26cd8b50552e4a4b42e4cc46f6581510afed2d3c902a9687f7"
],
[
"p",
"175fca897cc30a26cd8b50552e4a4b42e4cc46f6581510afed2d3c902a9687f7"
],
[
"p",
"7f2068a65e1a5ff3b8fa6a852b1885c4cc31dea072d4fd0fca0bc118ee99c1a1"
],
[
"p",
"aaba608f10f96010b1d2852520ef3c945634198f7c2246057624d787d566a8f3"
],
[
"p",
"794bb90361feaf04345e3ac7358c191ed22326803f08d1ee434d6c0041741c9a"
],
[
"p",
"69e8b4fbb559c42757b258c3b7ab44fddcdd5e0553d48c3af1729163edc31c1e"
],
[
"e",
"e7f51e380cbdbf638480d563d550a896012d8fd236ad59676d58753b4aa4282d",
"",
"reply",
"aaba608f10f96010b1d2852520ef3c945634198f7c2246057624d787d566a8f3"
],
[
"proxy",
"https://fedi.summershome.org/objects/cc281910-2aa0-4a42-9055-8096efd468fc",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://fedi.summershome.org/objects/cc281910-2aa0-4a42-9055-8096efd468fc",
"pink.momostr"
],
[
"-"
]
],
"content": "I guess this is the distinction. I completely agree with \"highly spoofable\" - I'd even go so far as to call it eminently spoofable. But, if risk = vulnerability * (threat / likelihood - as a decimal number no greater than 1) - any number times 0 is 0.\r\n\r\nSMS spoofing/cloning are non-zero risk, even for folks who celebrated a holiday yesterday - but, how do we communicate that to the average user in a way that gets their attention, but isn't so catastrophic that it fades into the background noise of \"everything is going to get you eventually\"?\r\n\r\nThis is a genuine question I've had, as a security-conscious developer, for several years. The vulnerabilities are real - security professionals can provide chapter-and-verse for that. Communicating the threat, though, is where the industry comes up short. \"This is like bathroom graffiti!\" doesn't land with most folks. IOW - if the given is \"these ignorant users believe their data is not at risk\" - do you have ideas of how we can convince them that they're wrong?\r\n\r\nWhat I've done, up to this point in my career, is make my stuff as secure as possible. I'd love an out-of-the-box take, though, that breaks through the tech-bubble noise and convinces people not to panic, but to actually consider their risk and adjust their behavior. :)",
"sig": "5302474b3ede817eb51f6b32a777ff6987570d46668ba5e738c75bbc6125194d3cc02133b9b6c6bb900226dc96cd02c9ca3c4a9f0d6f1500d3f7ff729f98ba40"
}