There is a huge amount of news pouring out of the Middle East right now. Oil prices are shooting up. The "stable" countries in the area are eyeing their "unstable" neighbors quite warily and there is tremendous unease in general.
One of the by-products of the strife, conflict and chaos occurring in the Middle East has been a laser-like focus on the role that social media has been playing in the drama unfolding daily in a new country, almost country by country. One facet that has made social media have the impact it has had is the shortness of messaging allowed by services like Twitter and now Facebook as well as other sharing sites.
As anyone who has used Twitter more than once knows, the easiest way to submit a long link (url-uniform resource locator) is to shorten the link using anyone of other popular shorteners available for free and in paid versions. If you use a client like tweetdeck, the odds are you use a shortener powered by something ending with .ly (the extension) When you shorten, you cloak the real url, and re-direct the user to another -- which in itself is a recipe for disaster. When you add in executable code that can be like a payload -- with ddos, malware or other problematic attacks embedded. Your computer could turn it on without you even knowing, simply through the act of the redirect itself.
(Now I am about to say some things that will get some people annoyed so a disclaimer of sorts: I am not attacking any company nor service with the .ly extensions. Rather I am asking some questions in the hopes of helping to create some constructive answers and help allay some fears in the user base.)
This is an even huger problem as the .ly extensions are clearly and most definitely controlled by Libya. It is up to the Government of Libya to approve, deny or block content and users of .ly extensions according to both Islamic law and Libyan law. Libya is violently cracking down on it's citizens and is using threats of and actually shutting down the internet. Why should Western companies think they are going to stay away from these troubles?
So not only is there a threat of shutdown -- there is the more pernicious problem of the potential abuse of any redirect necessitated in any shortener program. These shorteners start executable code on your computer to do the re-direct. You don't always know where you are being sent. Recently the Isreali government demonstrated that DDOS and other malicious code can be inserted into the backend of shorteners, a stern warning any government should be paying attention to. The United States Government recently issued its own shortener, based on Bit.ly professional (paid) version with some changes to the T.O.S. and other things. They have a secondary company supporting this. To the credit of the GSA, when I inquired through a tweet about the use of .ly shorteners with regard to Government agencies and the current crisis, I got a real response within minutes showing Gov 2.0 in use. However I seriously question the reliance on a company that is in turn relying on an extension controlled by a brutal dictatorship with no regard to human rights let alone western corporate rights. There are other shortener companies that do not rely on the .ly extensions. Why create a potential back door for mischief? I talked to many federal workers today, and received many emails and direct messages with varying degrees of use/non-use of the .ly extensions. One thing became very clear. In this age of Gov 2.0 and Web 2.0 - we need to be careful to guard against the rush of technology leading to rash decision making.
There has been a spate of recent stories about the problems with shorteners in general, and .ly extensions specfically, long before the current problems heated up. So I would suggest to the U.S. Government, and to other Governments, that they look seriously at using non .ly related shorteners, and come up with a way to take the mischievous component out of the equation, in a bid to make the internet a safer place while still keeping the immediacy of the message intact.
Follow up:
Bit.ly has issued some statements on Quora as well as it's own website with regard to the status of the .ly extensions. There still seems to be confusion over what would happen with a full shutdown, as there is a 28 day report period after which Icann will not take further information from a non addressing extension. At the same time, there are multiple hosting points, and of the 5 for .ly only 2 are in Libya. So while this provides some clarity - it does not address the payload issue, or why the shortener industry decided to rely on .ly extensions which still fall under the Islamic/Libyan law situation I laid out above.
My colleague Oliver Marks from Constellation Research Group wrote this piece in ZDnet in which he raises some interesting points about the history of this and also the larger security questions this brings up for both Governments and venture capital funded businesses, as well as users around the world. He also challenges some of the assumptions about technology.
reposted from www.silberberginnovations.com