ESET Threat Blog

We’ve been having some discussion internally about shortened URLs, with specific reference to pointing to web resources on Twitter, where you can’t actually avoid using shortened URLs, because an uncompressed URL is automatically shortened using bit.ly.

You may remember that I discussed these issues before here, The main problem, of course, is that it’s all too easy to conceal a malicious site behind a shortened URL, as all too many blackhats have already discovered. So while I sincerely hope that ESET’s web pages are as secure as they can be on the wild, wild internet, I think it’s more responsible  to force  users to check the real URL before they open it, even though it’s an extra click. As a security company, we should be trying to set a good example.

Now, bit.ly isn’t a bad option: it offers a preview plugin for Firefox users, checks links agains some blacklists, and offers click ratio statistics. But it doesn’t let me force a preview, and it isn’t browser-agnostic.

The tr.im service seems to be good on statistics, but I can’t find a preview mode or security information: perhaps there’s something if you actually sign up for it, so I’ll be looking further into that.

Recently I’ve been using tinyURL with the "preview.tinyurl.com" prefix, to force anyone who uses it to see the preview page that tells them what the full URL is. (is.gd also has an option to force a preview by appending a hyphen, and also uses SURBL.) If you really hate the preview option, and it seems that some people do dislike seeing the redirect, you can avoid it by pasting the link into your browser with the "preview." removed. But that’s probably more hassle than just viewing the preview and clicking again.

Right now, though, I’m using sURL, which always shows a preview page, and has one or two features I like the look of and am testing out at the moment. (I particularly like the ability to generate a loooooonnnnnnggggggg URL, but I haven’t thought of a legitimate use for it yet.)

However, I’d like to establish consistent practice across the blogging team.  And, indeed, to get your opinions. How would you prefer us to handle this, if you have any views at all? Do you use the Twitter notifications?

By the way, I’m probably going to come back to this topic in a paper Real Soon Now. In the meantime, if you’re interested in looking at the issue in more detail, you might want to take a look at Rob Slade’s blog here.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Following up on blog comments is part of the job for those of us contributing to the ThreatBlog. Well, I suppose it is: no-one else does it if we don’t.

Much of the time, comment handling involves dealing with the occasional comment spam that slips through our filters (there’s an interesting item on a novel approach to blog-spam at Hype-Free, by the way that casts some light on how some spam evades filtering by seeming to be on-topic). However, given some of the stuff that I’ve noticed in the past few weeks, I thought it might be useful to give you some idea of how we deal with stuff that isn’t blatant or not so blatant spam.

We’re quite a small team and we all have a lot of other work to do, but we do approve appropriate comments pretty quickly, in general: we’re not always as quick to respond as we’d like to be in responding, but we do our best.

Some comments are perfectly relevant: some are positive, some commentary is hostile, but that doesn’t mean it isn’t constructive or useful, and we don’t reject comments just because they’re critical of us or of ESET. Actually, we’re more likely to approve comments that are critical but appropriate than we are comments that simply say "I agree" or "brilliant blog!":

• Sometimes, this is just generic wordage intended to get a specific link onto our pages.
• Lots of comments with no significant content that sound supportive are often assumed to be put up by ESET, and as members of the Research team, we intend to provide technical content and informed opinion, rather than pure marketing material. Not that there’s anything wrong with marketing – that’s what pays our salaries! – but that’s not our work area. 

 A lot of the comments we see are actually nothing to do with the topic. (Of course, comment spam is hardly ever on topic, but that’s not what I’m talking about here.) This is problematic, in that more often than not, there’s no point in simply approving an otherwise legitimate if irrelevant post, since it requires an answer. Sometimes we’ll answer these in email rather than approve and answer a comment.

Either way, a lot of these turn out to be support queries. Sorry, but we can’t answer support queries: we would if we could (and some of us have, in other contexts), but we’re not resourced to do that in this team, and our expertise isn’t in the minutiae of ESET products. So unless it’s something we happen to know the answer to off the top of our heads, I’m afraid we’ll have to refer you to support resources like the ESET knowledge base at http://kb.eset.com/esetkb.

Then we have the occasional interesting comment compromised by the fact that it’s clearly aimed at promoting a rival company. Sorry, but it has to be really interesting before we’ll consider that, and the security equivalent of an unpublished Shakespeare play before we’ll consider approving it before editing out the advertorial comment. Unfortunately, that means that such posts will generally have to wait until we have time to edit them…

All that said, we really do appreciate all the informed comments and debate that some of our blogs attract!

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/