Tuesday, 11 Dec 2018

Rudy Giuliani is Trump's cybersecurity advisor. He may want a reminder.

In 2017, Rudy Giuliani was appointed as Cyber ​​Security Advisor to President Trump. This has been widely regarded as a consolation prize. Giuliani ran a cybersecurity company, but would have liked to become a secretary of state. More recently, Giuliani has come to play a central role in Trump's legal team and has also acted as a public defender on behalf of Trump in a wide variety of media. In this last role, Giuliani has just made an affirmation suggesting that he does not understand very well the functioning of Twitter and the Internet.

Giuliani accused Twitter of being partial to conservatives

The trouble began when Giuliani wrote a tweet defending Trump against the investigation of special advocate Robert S. Mueller III.

The tweet – which is always available at the time of writing – has a web link highlighted in blue. This link leads to a website simply stating that "Donald Trump is a traitor to our country". Obviously, Giuliani, who has always defended Trump against such accusations, did not want this link to appear in his message. He has now accused Twitter flagrant anti-trump bias.

It's almost certainly wrong

The claim that Twitter has somehow created Giuliani is almost certainly not correct. It's pretty clear what happened (and Giuliani himself alludes to it, semi-truncated in his accusing tweet). Here is how Giuliani wrote a tweet that ended up inadvertently linking to a website claiming that his client was a traitor to the country.

The first step was that Giuliani made a typo. He did not place a space between the dot at the end of a sentence and the word that starts another. This led Twitter to think that Giuliani was deliberately trying to create a link to a website. Twitter analyzes the text of each tweet created by its users and tries to format it to convey information. If you accidentally put an @ symbol in front of a word, Twitter will think that you are trying to refer to another Twitter user and will attempt to create an in-Twitter link to his Twitter profile. Similarly, if you write a text whose word is followed directly by a dot, followed by a combination of letters (.com, .ie, .gov, .new), Twitter will think you are writing. domain name of a website and then try to turn what you have written into a clickable link. In this case, Giuliani had a word followed by a period followed by letters. Since .in is the "top level domain" for Indian websites, the Twitter interface assumes that Giuliani refers to an Indian website and generates a web link.

The second step was that someone saw Giuliani 's mistake and decided to have fun. This person likely found that the domain name of the website to which Giuliani inadvertently referred (G-20.in) was available, purchased it and created a website criticizing the president. The rest is history.

That tells us some interesting things about cybersecurity

Not surprisingly, many people make fun of Giuliani on Twitter. His mistake is basic to a person accused of advising the president on cybersecurity issues and who, presumably, is charging his private clients large sums of money for his expertise in cybersecurity. Republicans are preparing to renew their claims that Twitter, Facebook, Google and other services have a bias against the conservatives. Their political opponents will most likely use Giuliani's mistake to try to undermine the charges against him.

However, it is not surprising that Giuliani spoiled the demand. The highest levels of American politics have notoriously many aging men who do not understand technology very well, even though they have tremendous power to shape it.

They and others could learn important lessons from prank if they were willing to pay attention and learn. The fact that this can happen illustrates three simple (and practical) lessons in cybersecurity.

First: Information technology behaves unexpectedly. Even the most advanced technologies sometimes fail to anticipate what their users (especially technologically unsophisticated users) want them to do, and will instead do something very different. This can create openings for attackers (or, in the language of cybersecurity, the "attack vectors").

Secondly, large parts of the Internet involve open communication between different services under the control of different companies and organizations. The Internet is open, though companies such as Facebook and YouTube are doing their best to lure users into their own walled gardens, generating revenue as they see more ads. When a person goes from one online service to another (for example by clicking on a URL link), she leaves one control area and enters another, which may follow some rules. very different. Thus, once Giuliani mistakenly generated a link to a website outside of Twitter, others could change the website he was connecting to in a way he found embarrassing.

Third: When you create an opening that can be used unexpectedly, it is likely that someone will take advantage of it. Indeed, Giuliani was probably lucky that the link he created only leads to a relatively quiet political accusation. Previous generations of jokers have taken advantage of other loopholes to bring unsuspecting users to even more upsetting content. Much of the code behind the once-famous chat site, slashdot.org, was designed to protect users from infamous trolls, who wanted to make clicking victims click to access the "goat" image, notoriously distressing.

It is unlikely that Giuliani – or anyone else – will see this as an opportunity to learn more about cybersecurity. Nevertheless, there are lessons to be learned.


Post Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: