The perils of using remote scripts

The BBC ran an article on the recent BA hack. The thing that stands out for me is the following:

“Hacks like this make use of an increasingly common phenomenon, in which large websites embed multiple pieces of code from other sources or third-party suppliers.
Such code may be needed to do specific jobs, such as authorise a payment or present ads to the user. But malicious code can be slipped in instead – this is known as a supply chain attack.” (https://www.bbc.co.uk/news/technology-45481976)

I’ve argued against this in the past but to no avail. And it’s everywhere now. Designers use code located in any old place in order to make their websites work. I’ve even seen it inside commercial CMS systems where, when PHP versions come out with functions deprecated the software vendor has a major task in finding or writing new libraries because the Internet sourced one they use is no longer being updated. I have also seen font libraries used where the usage exceeds the agreement and the download then fails, sometimes causing a delay in the poor user’s browser. Browse to just about any commercial website now and take a look at the connections your system is making and to where, these often to download a font or a Javascript library to do some jazzy function.

Remember the news when some Javascript library included a bitcoin mining script?

And heaven forbid programmers won’t simply take bits of code from Internet sources and glue it all together to create a new app. I mean, that would just be asking for trouble, right?

Basically, we’re doomed…

URL shortener problems

I noticed today that the BBC uses bbc.in as a URL shortener. I wanted to see a story posted by the local BBC outfit on Twitter that carried such a link. But the bbc.in link redirected to bit.ly… trouble is bit.ly is currently blocked by Sky Broadband Shield for phishing or malware. Actually there’s not surprise there given what bit.ly et al do.

Later on the redirect from bbc.in went to trib.al which is not blocked and that then took me to a BBC page.

So… given the BBC owns bbc.in why not put a URL shortener there and avoid these external, uncontrolled ones? I mean, these externals are bound to continue to cause issues.