In 2017, Rudolph W. Giuliani was named as a cybersecurity adviser to President Trump. This was widely seen as a consolation prize. Giuliani had been in charge of a cybersecurity firm but had reportedly wanted to become secretary of state. More recently Giuliani has come to play a central part in Trump’s legal team, and has also acted as a public advocate battling on behalf of Trump across a wide variety of media. In the latter role, Giuliani has just made a claim that suggests he doesn’t have a very clear understanding of how Twitter and the Internet work.
Giuliani accused Twitter of being biased against conservatives
The trouble started when Giuliani wrote a tweet defending Trump against the investigation by special counsel Robert S. Mueller III.
The tweet — which is still available at the time of writing — has a weblink highlighted in blue. This link leads to a website stating simply that “Donald Trump is a traitor to our country.” Obviously, Giuliani, who has consistently defended Trump against such accusations, didn’t intend this link to appear in his post. He has now accused Twitter of blatant anti-Trump bias.
This is almost certainly wrong
The claim that Twitter somehow set up Giuliani is almost certainly not right. It’s pretty clear what happened (and Giuliani himself glancingly refers to this, in a semi-garbled fashion in his accusatory tweet). Here’s how Giuliani wrote a tweet that ended up linking to a website that claims his client is a traitor to the country.
The first step was that Giuliani made a typo. He didn’t put a space between the period at the end of one sentence and the word beginning another. This made Twitter think that Giuliani was deliberately trying to create a link to a website. Twitter parses the text of every tweet that its users make and tries to format them in ways that convey information. If you accidentally put an @ symbol in front of a word, Twitter will think that you are trying to refer to another Twitter user, and it will try to create an in-Twitter link to that user’s Twitter profile. Similarly, if you write text that has a word followed directly by a period, which is then followed by any one of a number of letter combinations (.com, .ie, .gov, .new), Twitter will think that you are writing a website’s domain name, and will then try to turn what you have written into a clickable link. In this case, Giuliani had a word followed by a period followed by the letters “in”. Since .in is the “top level domain” for Indian websites, Twitter’s interface assumed that Giuliani was referring to an Indian website, and generated a weblink.
The second step was that someone saw Giuliani’s mistake and decided to have some fun. This person presumably found that the website domain name that Giuliani had inadvertently referred to (G-20.in) was available, bought it and created a website criticizing the president. The rest is history.
This tells us interesting things about cybersecurity
Unsurprisingly, a lot of people are making fun of Giuliani on Twitter. His error is an elementary one for someone who is charged with advising the president on cybersecurity issues, and who presumably charges private clients large amounts of money for his cybersecurity expertise. Republicans are gearing up to renew their claims that Twitter, Facebook, Google and other services are biased against conservatives. Their political opponents very likely will use Giuliani’s mistake to try to undermine these accusations on the Hill.
Still, it isn’t all that surprising that Giuliani fumbled the claim. The higher levels of U.S. politics notoriously have plenty of aging men who do not understand technology very well, even while they have enormous power to shape it.
There are important lessons that they and others could draw from the prank, if they were willing to pay attention and learn. The fact that this could happen illustrates three simple (and practical) lessons of cybersecurity.
First: Information technology behaves in unexpected ways. Even highly advanced technologies will sometimes fail to anticipate what their users (especially technologically unsophisticated users) want them to do, and will do something very different instead. This can create openings for attackers (or, in cybersecurity language, “attack vectors”).
Second: Large swaths of the Internet involve open communication across different services, which are under the control of different businesses and organizations. The Internet is open, even if companies such as Facebook and YouTube do their best to corral users inside their own “walled gardens,” generating revenue as they see more ads. When someone moves from one online service to another (e.g. through clicking on a URL link), they leave one zone of control and enter into another, which can work along very different rules. Thus, once Giuliani had mistakenly generated a link that led to a website outside Twitter, others could change the website that he linked to in ways that he found embarrassing.
Third: When you generate an opening that can be used in unexpected ways, someone will likely take advantage of it. Indeed, Giuliani was arguably lucky that the link he created only led to a relatively tamely worded political accusation. Previous generations of pranksters have taken advantage of other loopholes to lead unsuspecting users to far more upsetting content. A substantial amount of the code underlying the once-famous discussion site slashdot.org was designed to protect users against nefarious trolls who wanted to trick victims into clicking through to the notoriously distressing “goatse” image.
It’s unlikely that Giuliani — or anyone else — will treat this as an opportunity to learn more about cybersecurity. Even so, there are lessons that can be learned from it.