Malware Sucker Punch
January 12, 2016 8:46 AM   Subscribe

Forbes.com will ask you to turn off ad-blocking software or extensions that you may have on your browser in order to read their articles. If you comply, you then run the risk of being served malware.

This is not the first time that Forbes has had malware-infected ads. [link goes to a Forbes page, but it seems to be safe.] They seem to be aware of the problem.
posted by Halloween Jack (93 comments total) 16 users marked this as a favorite
 
This roughly tracks the experience of voting for Steve Forbes.
posted by nevercalm at 8:51 AM on January 12, 2016 [28 favorites]


Of course they are aware of the problem! The problem is capitalism in a nutshell, and capitalism is what they are selling. "I made money from this, so screw you."
posted by a fiendish thingy at 8:54 AM on January 12, 2016 [20 favorites]


And people wonder why I'm so adamant about adblocking. I only allow ads on a handful of sites (MetaFilter included) that I know actually check their ads for shit like that.
posted by numaner at 8:54 AM on January 12, 2016 [16 favorites]


your computer is out of date. click +1 below to update java.
posted by zippy at 8:57 AM on January 12, 2016 [31 favorites]


Ad blocking isn’t the answer. In its report, the IAB estimated the amount of advertising dollars lost each year to ad blocking and further extrapolated from this figure the portion of blocked spend owing to concerns about malware: the total, $781 million.

The problem is, ads aren’t the only way to deliver malware. Email and messaging programs are also effective channels for malware.
But ad blocking is very good at blocking malware in ads. Cutting out one channel is very good for that channel, even if other channels exist.
posted by jeather at 9:03 AM on January 12, 2016 [58 favorites]


TFA: Ad blocking isn’t the answer.

It may not be the answer you want to hear, but that doesn't make it the wrong answer.
posted by anifinder at 9:03 AM on January 12, 2016 [111 favorites]


I'm active on a site that allows you to play videos (with ads) and get paid with points that you can use on gift cards and such. They obviously require you to turn off your adblocker to get the points. Every few days I get a playlist of videos that includes ads that take over the web browser and try to trick you into thinking your browser has a virus and you have to download their (infected) "update" to fix it. The only way to close out these "ads" is to go into the task manager and close from there.

Needless to say I run this stuff on private mode and religiously use uBlock everywhere else (except Metafilter and a few other sites). Also needless to say I won't be visiting Forbes again.
posted by dirigibleman at 9:06 AM on January 12, 2016 [3 favorites]


What part of "capitalist tool" don't people understand?

If you and your computer and phone aren't owned by a capitalist yet, you've somehow evaded your assigned role.
If you're _aware_ they've tried to get you, or have already got you, their tools aren't yet up to par.
You should believe you're free and independent -- and actually be entirely predictable.

I worked with a very bright young man 30 years ago who told me his goal in life was to figure out how to sell his skills out to the highest bidder. After careful thought, he went to work for Forbes.
posted by hank at 9:08 AM on January 12, 2016 [2 favorites]


Your ad revenue is not my responsibility. Neither is pretending there's some magic agreement that says I'll look at anything you put on my screen in order to view your content.
posted by blue_beetle at 9:09 AM on January 12, 2016 [55 favorites]


What it will do is starve content producers of over $75 billion of funding for quality journalism, information, and entertainment.

Ah yes, quality journalism, like when you let the "CEO of AppNexus, the world's leading independent ad tech company" write your articles on why adblocking is bad.
posted by almostmanda at 9:11 AM on January 12, 2016 [80 favorites]


I only allow ads on a handful of sites (MetaFilter included) that I know actually check their ads

(Just want to be clear about this, we don't check our ads ourselves, there's no pre-screening of ads here. Logged-in members see ads from The Deck, who are a small organization that only works directly with a limited list of advertisers; they would be hit pretty badly if malware got in there and they have the ability to check the ads they run, so we trust them. Logged-out people see Google ads, and Google has a team of people devoted to keeping malware out of their ads.)
posted by LobsterMitten at 9:12 AM on January 12, 2016 [37 favorites]


Forbes as an entity is on the ropes. The sale to an Asian investment group fell apart a couple of months ago.

Which doesn't say a lot for their experiment in “incentive-based, entrepreneurial journalism” , where contributors were responsible for both content and selling their content with Forbes providing only the platform. They've been financial alarmists casting about for page views for a long time.
posted by readery at 9:14 AM on January 12, 2016 [5 favorites]


Advertisers care about "quality journalism" in the same way potheads care about the textile industry.

Use an ad-blocker, all of you. The internet is an unusable sewer without one.
posted by mhoye at 9:17 AM on January 12, 2016 [44 favorites]


"Ad blocking isn't the answer" might be a reasonable statement in a network situation where every single corporate actor on the network didn't have strong incentives to launch multilayered attacks on my software and cognition. Or I guess in the context of a network & client architecture which didn't facilitate hostile action at every turn, if such a thing can be conceptualized.

As it stands, well, cry me a river, you fuckers.
posted by brennen at 9:19 AM on January 12, 2016 [22 favorites]


Goodbye Forbes.
posted by Artw at 9:21 AM on January 12, 2016 [4 favorites]


I continue to think that there's a business model to be had, as long as everyone involved is trustworthy and transparent. And that there are guarantees that "trustworthy and transparent" is itself checked and certified.

Advertizers, the add networks and the browser makers are all going to have to agree to some standard and transparent process, sure, but most people aren't going to want to have to just trust double-click, Google, Apple and Microsoft. There's also going to have to be someone who provides a third-party, "these folks are doing what they say they're doing" function as well. Trust should not be necessary on the part of the consumer/user.

The industry isn't that mature yet, but it needs to get there. Metafilter's ads work because everyone at every step of the chain trusts the upstream to be acting in good faith. Those sorts of single trust relationships are really hard to grow. With the right check and balances, however, that shouldn't be necessary.
posted by bonehead at 9:21 AM on January 12, 2016


On the weekend I ended up getting some stupid malware that took me a few hours to completely get rid of. It was a pain in the ass and I know what I'm doing. The only vector it could have come in on is some sort of ad. I had paused my ad blocking entirely for one site instead just whitelisting, forgot I had done it, surfed some other sites and then blam computer started popping up crap and all browsers got hijacked.

I feel for people that don't know what they're doing to get rid of this stuff. Then add onto it that I'm positive that some of the initial links about this particular malware that offered some sort of one stop removal would be malware themselves. They looked super hinky. I don't know how non techy people survive this crap.

This particular batch took 4 different programs to get rid of entirely, it was ridiculous.

I will be keeping my ad blocking software on (with exception of my whitelisted sites like Metafilter) and if a site won't serve their content because of it? Guess I won't be seeing their content. It's not worth the risk.
posted by Jalliah at 9:21 AM on January 12, 2016 [8 favorites]


Part of the problem here is reliance on remnant advertising, a cottage industry riddled with scammers, malware and mysterious technology. You can narrow down and remove an advertiser who starts serving malware in order to prevent their stuff coming up on your website, but another will soon take its place. In the end, the company's thinking is this: if we can turn on an ad spot, hook up with a remnant provider, and make money with relatively little effort, is it worth the handful of complainers? The handful of complainers who are getting a free website?
posted by theraflu at 9:21 AM on January 12, 2016


At this point it';s less the payload and more the delivery system: The thing where websites serve up a gig of random untrustworthy JavaScript just to show you an ad simply isn't sustainable.
posted by Artw at 9:23 AM on January 12, 2016 [14 favorites]


To be fair, they're half right. Ad blocking isn't the whole answer. In a case like this, you also need something like the Personal Blocklist extension for Chrome, which you can use to prevent forbes.com pages from appearing in your Google search results. Block Forbes from your search results and life gets easier for everybody -- they don't have to worry about you using an ad blocker on their site, and you're not tempted to visit in the first place.
posted by Two unicycles and some duct tape at 9:25 AM on January 12, 2016 [25 favorites]


the IAB estimated the amount of advertising dollars lost each year to ad blocking and further extrapolated from this figure the portion of blocked spend owing to concerns about malware: the total, $781 million.

Is this the same type of "extrapolation" that leads the RIAA to assert that every pirated music download is worth a million billion kajillion dollars in lost sales?
posted by Mr. Bad Example at 9:29 AM on January 12, 2016 [48 favorites]


Unfortunately, it’s simply not clear how to resolve the issue.

Sure it is. Make the owner of the domain of the displaying webpage -- the appropriate ".com" or whatever that appears at the top of the browser -- legally responsible for malware delivered while browsing their site, and fine them per intrusion on an exponential scale -- the first intrusion is $0.01, the second is $0.02...

I continue to think that there's a business model to be had, as long as everyone involved is trustworthy and transparent. And that there are guarantees that "trustworthy and transparent" is itself checked and certified.

Of course there is. I've said before that I don't mind ads as such, and would even kind of like to receive ads that were successfully targeted to my interests. What I mind are malware and grossly intrusive and distracting ads that shout and bounce around. All they had to do was just show me plain old ads like you get in magazines, but nope.
posted by ROU_Xenophobe at 9:30 AM on January 12, 2016 [21 favorites]


How does adblock detection work? Would it pick up people who've just set a bunch of ad serving domain names to 127.0.0.1 in their .hosts?
posted by ROU_Xenophobe at 9:32 AM on January 12, 2016 [2 favorites]


Malware in ads is actually such a big problem that I view getting an ad blocker to be the most important anti-malware tool you can install. Having an ad blocker and exercising basic caution cuts the number of attack vectors against you to almost nil.
posted by Mitrovarr at 9:33 AM on January 12, 2016 [16 favorites]


Plus the ads and accompanying garbage are vastly bigger in size that the pages of the sites that contain them, and unlike the sites have no motivation to reduce bloat whatsoever.

I get that content needs to be paid for, but blocking ads is becoming a necessity for the web to function.
posted by Artw at 9:36 AM on January 12, 2016 [16 favorites]


Of course there is. I've said before that I don't mind ads as such, and would even kind of like to receive ads that were successfully targeted to my interests. What I mind are malware and grossly intrusive and distracting ads that shout and bounce around. All they had to do was just show me plain old ads like you get in magazines, but nope.

I feel the same. I'm okay with the idea of ads. I'm not okay with in your face, bloated, auto playing, popping and bouncing ads, ads that bring page loads to a crawl, make pages get stuck loading or impossible to scroll properly before they're all loaded in and of course malware infected ads.
posted by Jalliah at 9:40 AM on January 12, 2016 [12 favorites]


The thing where websites serve up a gig of random untrustworthy JavaScript just to show you an ad simply isn't sustainable.

I totally agree, but there's a bigger structural problem here than just the ad ecosystem. The linked extremetech.com article makes, lemme check, 137 requests, and that's with uBlock Origin and Privacy Badger stopping at least a further 60.

Those ~200 requests for a few paragraphs of text and a few graphics aren't just the product of advertising. They're the product of a whole economy of tracky bullshit, software-as-service, bloated framework nonsense, and a bunch of technical models that almost make those things inevitable because their myriad potential abuses are like catnip to every shithead with venture capital.

Plus, yeah, essentially zero legal liability for abusing users' computational resources and data. I'm starting to think that's a big one. I used to be all "technical problems should have technical solutions", and I still feel that way, but when your technical problem is capitalism, maybe leveraging the power of the state to curb its inherently fucked up behavior is not actually crazy?
posted by brennen at 9:41 AM on January 12, 2016 [38 favorites]


I'm less worried about malware (I am on a mac, they aren't immune but are less of a target) then those goddamn ads that autoplay video and sound. And the ten million trackers.
posted by tavella at 9:43 AM on January 12, 2016 [4 favorites]


There are pages, like my local newspaper for example, that crash Chrome tabs more often than not if I don't use adblock. So blocking ads is literally the only way to actuality view their content.
posted by octothorpe at 9:44 AM on January 12, 2016 [12 favorites]


Did they ever report more on how forbes.com was hacked a while back? I read something briefly how someone spoofed a vice.com executive's address, and some genius clicked on a phishing link. few months later, and forbes was supposedly on the market, and then i read that the deal went south. this dumb right wing turd just won't die;.
posted by brainimplant at 9:45 AM on January 12, 2016


My difficulty with the concept of "woe are we, that we can't make all the money because you block our ads" is that somehow in their minds this ad-blocking behavior among consumers is new behavior. Ever since the advent of remote controls, haven't we been able to mute your commercials, or change the channel? Will you take away my steering wheel audio controls because it allows me to easily switch to a different radio station instead of the seventh tire ad you've played this hour? Last time I read a magazine, I don't recall being installed in some Clockwork Orange apparatus to ensure I didn't turn the page before digesting the ads in the back for personal services and vacation scams. Ad-blocking software is just another tool along these lines.
posted by OHSnap at 9:45 AM on January 12, 2016 [26 favorites]


blocking ads is literally the only way to actuality view their content.

That's where I am now. Adblocking is as essential as a decent firewall and anti-malware software. Just another layer of defence.
posted by bonehead at 9:46 AM on January 12, 2016 [3 favorites]


Email worms used to be the big attack vector. Now, I suspect that many users know not to run random attachments that they are not expecting to receive. Also, email can be centrally administered, the email server operator can scan attachments and block them before they even reach users.

Web pages used to be relatively static things. Javascript was there, but it did a little less, and programmers were a bit less ambitious about using it. I think GMail and Google Maps were some of the the first javascript-heavy Web Applications, I remember being amazed at the infinite scrolling in any direction in Google Maps, and how GMail behaved just like a desktop app, but in a web browser. Now visiting a web page is much more like running an program that a stranger sent you. Perhaps even worse, because by default you don't get to eyeball the sender, the text of the email message, the attachment suspiciously called "hilarious.jpg.exe", etc. You go to www.foobar.com and your browser downloads a huge bolus of code, often from OTHER domains, and then runs it, totally automatically and silently. I can't fathom why anyone thinks we need technology like WebAssembly. What we really need a sane defaults in our browsers that do not make our computers execute arbitrary code without our knowledge or consent.
posted by rustcrumb at 9:49 AM on January 12, 2016 [11 favorites]


I've been running into more and more sites that cripple themselves unless you disable your ad/script/tracker blocking. The war has definitely been engaged between advertisers and audience.

My difficulty with the concept of "woe are we, that we can't make all the money because you block our ads" is that somehow in their minds this ad-blocking behavior among consumers is new behavior.

It's the arrival of iOS 9 and ad blocking being enabled in Safari. That tipped the scales for advertisers and site owners. Shit got real almost immediately after 9 dropped. A lot of sites have already learned how to circumvent ad blocking and serve ads under iOS 9.
posted by Thorzdad at 9:51 AM on January 12, 2016 [5 favorites]


This reminds me of that great breakdown of what The Verge was up to wrt pageload/spyware.

tl/dr quote:
"Sweet Jeebus. "You have visited 1 SITE. You have connected with 47 THIRD PARTY SITES."
posted by urbanwhaleshark at 9:53 AM on January 12, 2016 [20 favorites]


as long as everyone involved is trustworthy and transparent.

I shan't hold my breath waiting for that to happen.
posted by Greg_Ace at 9:54 AM on January 12, 2016 [5 favorites]


The war has definitely been engaged between advertisers and audience.

True, but it's a war the advertisers can't win. I noticed Forbes doing this from an article link a week or two ago, and all it did was make me say "OK, guess I won't be reading that anymore".

The time to do something about ad blocking was 4-5 years ago. The thing to do was to find a way to serve ads that weren't malware-riddled, bloated, and to top it all off typically sexist/racist/inappropriate to boot. It's too late the close that barn door now.
posted by tocts at 9:55 AM on January 12, 2016 [9 favorites]


Look, if I had turned on adblocking five years ago, I never would have met my wife, Evony Maiden.
posted by robocop is bleeding at 9:59 AM on January 12, 2016 [32 favorites]


I shan't hold my breath waiting for that to happen.

That's why I said, transparent, but verified by a third party. Real, enforceable liabilities for breaching that contract of trust aren't a bad idea either, even if they're only common law.

Advertisers and ad networks would get in line quicker if there were class-action liabilities every time they did something hinkey.

Serving bad ads needs to be seen to be as serious as breaching customer info is right now (because that's what bad ads often do to a customer).
posted by bonehead at 10:01 AM on January 12, 2016 [2 favorites]


I've seen other sites beg you not to block ads before, but Forbes was the first I've encountered that prevents viewing their content at all -- which immediately made me suspicious. I won't say it's "good" to have my suspicions confirmed, but it's unsurprising.
posted by Foosnark at 10:02 AM on January 12, 2016


Is the Forbes content any good? I remember occasionally reading someone who had a blog there years ago, but that's it. I don't think I see them linked to all that much either.
posted by Area Man at 10:14 AM on January 12, 2016


I completely agree with you, bonehead.* I just don't expect it to happen any time soon.

*It's hard to sound sincere when responding to someone whose handle is an insult! :)
posted by Greg_Ace at 10:17 AM on January 12, 2016 [3 favorites]


"Real enforceable penalties"

CFAA? From my perspective, Forbes got paid to deliver malware. Where's the Justice Department now?
posted by BentFranklin at 10:18 AM on January 12, 2016 [4 favorites]


I just get sick of sites freaking out when they detect my AdBlock on Chrome. The worst is the content providers like TV networks that won't load videos at all in a browser with AdBlock. It's like they want us to say fuck it and pirate their content. So far, I haven't set up a blocker with Microsoft Edge and I keep it as a default for TV shows that won't load on Chrome. But I'm courting disaster doing so and at some point I've got to stop that.
posted by Ber at 10:19 AM on January 12, 2016 [1 favorite]


There's actually a really simple technical solution at the ad-provider level for stopping the malware: simply ensure that each ad is a standard-sized static image, optionally linking to the advertiser's website. No Flash, no JavaScript--just a JPEG. It's virtually impossible* to sneak malware in that way.

Of course, if it's just a dumb image file, you can't track users or be overly annoying, so that's out. (Project Wonderful is the only exception to this that I know of. They're generally well-behaved and so I usually whitelist them.)

I used to be sort of pro-ad, in that it was (and could still be) a reasonably way to fund websites, but I've now lost even the basic low-level will-try-not-to-do-illegal-things-to-me trust of the advertising industry I once had. I leave ublock-origin on for everything and if a website decides to stop serving me pages as a result, that's no great loss.

* You could deliver malware in a static image if the browser's image rendering code has an exploitable bug in it, but that's pretty rare, usually not portable and takes a lot of work and smarts to actually exploit.
posted by suetanvil at 10:21 AM on January 12, 2016 [6 favorites]


* You could deliver malware in a static image if the browser's image rendering code has an exploitable bug in it, but that's pretty rare, usually not portable and takes a lot of work and smarts to actually exploit.

It does happen- that's why MeFi doesn't allow images.
posted by Pope Guilty at 10:24 AM on January 12, 2016


The linked extremetech.com article makes, lemme check, 137 requests, and that's with uBlock Origin and Privacy Badger stopping at least a further 60.

If you use Firefox, NoScript is your prickly, high-maintenance friend. It lets you select from where each page you visit can load JavaScript, which generally means each site you visit will break until you've found the correct set of domains to block. But it does give you back control of your browser, so there's that.

(On the plus side, I've had sites that didn't render suddenly start working when I blocked enough JS, so there's that.)
posted by suetanvil at 10:28 AM on January 12, 2016 [9 favorites]


You can put executable code in an image src. Not sure why you'd want to except for bad reasons, but you can.
posted by Artw at 10:28 AM on January 12, 2016


Ad blocking isn’t the answer...The problem is, ads aren’t the only way to deliver malware. Email and messaging programs are also effective channels for malware...Ad blocking may close off one potential pathway for fraud, but it won’t solve the malware problem. What it will do is starve content producers of over $75 billion of funding for quality journalism, information, and entertainment

I should stop using ad blocking because it doesn't stop all malware? Apparently this massive issue is the fault of the consumer, who should leave themselves vulnerable to attack and loss, not the dumbfuck internet ad companies that allow this shit to be served and the content producers who can't be arsed to do anything about it? I shouldn't protect myself because of your bottom line? I should take the hit for you, then, is that the argument? Thanks for spelling out the principles of unfettered capitalism for me so clearly.

Sorry this is biting you in the ass, Forbes, but if this represents the height of your thinking, you deserve the recycling bin.
posted by nubs at 10:29 AM on January 12, 2016 [11 favorites]


I block ads. And I put my money where my mouth is: I make stuff and post it online for free, and offer other ways to pay for it. Mostly Patreon nowadays, because I got really tired of packaging and shipping physical books out in the middle of winter depression and haven't turned the store back on.
posted by egypturnash at 10:35 AM on January 12, 2016 [5 favorites]


It does happen- that's why MeFi doesn't allow images.

IIRC, this was due to cross-site scripting which, fair enough, is exploitable this way. The ad provider could fix it, though, by hosting images itself. (This assumes that the ad provider itself isn't trying to hack you, which is something I used to think was reasonable.)

You can put executable code in an image src.

I think (as a webdev amateur) this doesn't work on modern browsers and the browser will either try to load the script as an image (which will fail) or give up. Am I wrong?
posted by suetanvil at 10:38 AM on January 12, 2016 [1 favorite]


It's only a little ironic that the extremetech article has some javascript on it that blows up my iPhone. The page crashes three times then safari tells me "A problem repeatedly occurred on 'http://www.extremetech.com/internet/220696-forbes-forces-readers-to-turn-off-ad-blockers-promptly-serves-malware'."
posted by peeedro at 10:39 AM on January 12, 2016


My difficulty with the concept of "woe are we, that we can't make all the money because you block our ads" is that somehow in their minds this ad-blocking behavior among consumers is new behavior.

I'm no fan of web ads or the industry that produces them, but your logic ignores an important distinction between print ads and web ads. If you ignore an ad in a magazine, or a commercial on a TV station, the magazine or station still gets paid. If you block an ad on a website, the site doesn't get paid for that impression.
posted by escape from the potato planet at 10:41 AM on January 12, 2016


I think (as a webdev amateur) this doesn't work on modern browsers and the browser will either try to load the script as an image (which will fail) or give up. Am I wrong?

It may be patched on most browsers you can expect to find in the wild. IIRC it worked on IE8.
posted by Artw at 10:41 AM on January 12, 2016


The only way I can see this ever being fixed is if serving malware results in actual liability. Which it should - at the very least for the ad network.
posted by Mitrovarr at 10:43 AM on January 12, 2016 [3 favorites]


It would create liability for individual users so why not for big companies owned by billionaires?

Never mind I answered my own question.
posted by BentFranklin at 10:48 AM on January 12, 2016 [2 favorites]


It totally creates liability for big companies now. You think corporate machines are exempt?
posted by Mitrovarr at 10:56 AM on January 12, 2016


I'm in the process of setting up a thing on my home Linux box where I can build a new docker image, put chrome in it, and use that to browse pages that are either laden with javascript loads, or otherwise suspicious. After browsing the page, the docker image will get deleted. In my usual browsers I run noscript and adblock. Maybe a bit paranoid, and it will probably be slow enough that I'll just not load those pages at all. Given the crappy way the page owners are acting that may be the sensible way to do things.
posted by Death and Gravity at 10:57 AM on January 12, 2016 [1 favorite]


I remember my first reaction to reading about Cayce Pollard's allergy to corporate logos/mascots and thinking that was exactly how I felt about advertising in all its forms. I've often wished I had an IRL Ad Block that would keep me in this magic ad-free bubble, no matter where I was or what I was doing.
posted by tehjoel at 10:59 AM on January 12, 2016 [6 favorites]


Why don't you just make me click on the monkey, let's go full 1997 malware-tastic while we're at it.
posted by emjaybee at 11:06 AM on January 12, 2016 [3 favorites]


It totally creates liability for big companies now. You think corporate machines are exempt?

Absolutely. There are two sets of laws - those for the powerful and those for the rest of us. They happen to be the same laws but they are enforced differently depending on whether you are working for or against the 1%.
posted by BentFranklin at 11:09 AM on January 12, 2016 [2 favorites]


Er, you misunderstood. I meant that hacked ad servers cost big companies money by adding to the IT burden, because their computers are not immune.
posted by Mitrovarr at 11:11 AM on January 12, 2016


Forbes.com will ask you to turn off ad-blocking software or extensions that you may have on your browser in order to read their articles.

Joke's on you—with NoScript and uBlock Origin, it doesn't even get far enough to ask.

That aside, I wonder how this isn't a CFAA violation on their part. They haven't received permission to run the malware on your machine, and yet it is running as a result of what they sent you when they claimed they'd run something else.
posted by atbash at 11:13 AM on January 12, 2016 [1 favorite]


Something to distinguish the extremetech article from actual journalism: Forbes wasn't asked to comment on this. Really, I would have even appreciated a "Forbes declined to respond to our questions", or better "We asked forbes 'exact question here', and they declined to answer".

Yeah, what Forbes is doing is pretty shitty, but holy hell extremetech has a worse overall ad-ridden experience.
posted by el io at 11:15 AM on January 12, 2016


Most of my Internet use is text. But if I disable adblock, I get all sorts of popup, flyover, intrusive video, audio and flashing crap. Nope. I want to read text; screw your noisy crap.

Welcome to our site! Subscribe to our content!!!!! Yeah, how about I read the article, then decide if I want your newsletter in my email box. So, Nope, do not want to sign up.

When I read the paper newspaper, or the paper magazine, the ads are there, and I can think, O Yeah, I need tires, and there's a sale at the Tire Emporium. Ads on the Internet? Be smarter. Just because I'm on nytimes.com doesn't mean I want to buy server software; don't waste my time and bandwidth with that flyover video. Show me ads on the side, and if they're informative and useful (as if) I'll click. Kinda like the smart people at google figured out; make the ads obvious as advertising, don't make them super-intrusive, serve lots of them.

The whole web ad industry always seems to be chasing its own tail, loudly and ineffectively. I allow and sometimes even click on ads served by services like The Deck because they're not so stupid. It's a young industry. Theoretically, learning will happen. so far, not so much.
posted by theora55 at 11:22 AM on January 12, 2016 [6 favorites]


Regarding sites that give users a hard time when they are running adblockling, I've heard good things about the Anti-Adblock Killer script "to circumvent many protections used on some websites that force the user to disable AdBlockers."
posted by exogenous at 11:28 AM on January 12, 2016 [1 favorite]


Hmmm - I would like to know if they can actually stop/detect DNS/HOSTS-file based blocking...

Nope, site works fine, no ads - and no complaining crap about me blocking ads either...

So - IMO, the "best" way of blocking unwanted ads and parasites, is to use a free local DNS HOSTS file that simply blocks away requests to "bad" sites...

The best thing is that this method does not require any browser plug-in's... nor does it consume CPU or much memory on the computer which it is installed on...

The worst thing, is every few months you have to download a new copy and update it, or it gets stale...

Blocking Unwanted Connections with a Hosts File
posted by jkaczor at 11:40 AM on January 12, 2016 [5 favorites]


estimated the amount of advertising dollars lost each year to ad blocking and further extrapolated from this figure the portion of blocked spend owing to concerns about malware: the total, $781 million.

Is this how online advertising works? "There's $781 Million that we can't even give away! You just need to get more impressions." Or is it more likely that if, suddenly, everyone stopped using adblock software, the formula that determines how much you get paid would be adjusted so that roughly the same amount of money was being spent?

I suppose it could be somewhere between the two.
posted by ODiV at 11:45 AM on January 12, 2016 [5 favorites]


I am by no means and expert about this, but I don't think there's really anything special about the Forbes website in this case, it's just an example of a wider problem, namely:
  1. Content websites need ads to survive economically
  2. unless the website is so big it can attract all its own advertisers, its ads will likely come from some 3rd party ad network the website has little control over
  3. a 100% reliable way to keep malicious actors off ad networks has not been invented yet
  4. a 100% reliable way to keep annoying actors off ad networks has not been invented yet
I wish one of the web standards organizations would create some standards to give websites and users more control over the ads they see, such as an <ad> element that could be used to demarcate ads and restrict their HTML/JavaScript to a limited security-minded subset. Perhaps there could also be a smartphone-like permission system that controls video/audio/tracking request data, etc. It wouldn't be perfect, but it might help push the involved parties toward better behavior. If the advertiser wants to successfully show me an ad, they'd have to follow the rules set by both the website and myself.

If such standards were available, I think I'd block everything except properly-marked ads with no audio or animation, and I'd only allow some simple content-less standard "ad viewed" tracking request to be made.
posted by cosmic.osmo at 11:46 AM on January 12, 2016 [4 favorites]


My reaction is generally to stop going to sites that require me to disable an ad-blocker to view content. Sorry, don't care, can't be arsed. Adblock and Ghostery have been eye-openers for me (a non-techie); the sheer volume of trackers and third party networks pouring through your average website is amazing. For some sites, having Ghostery on means that you see 5-10 domains blocked. If you perform the same load with Ghostery paused, you get those same 5-10, followed by a flood (60-100??!) of additional domains that pour in after. It's not just the third parties, but the highway they provide for fourth, fifth, and sixth parties. Who are these companies? What are they loading onto my machine, and what data are they acquiring? And most critically, why should I allow them to do so?

The email analogy is a good one. I'm not going to run some random attachment sent by someone I don't know; why should I allow your website to just run code on my machine that I have no idea is even there?

Actually building trust with your users is really the only way to get them to whitelist you. But that takes work, investment, curation, and an understanding that your site will make attempts to vet the ads they show, and not just run whatever crap gets poured through that hole on the page made by your ad network.
posted by Existential Dread at 11:47 AM on January 12, 2016 [8 favorites]


3. a 100% reliable way to keep malicious actors off ad networks has not been invented yet
4. a 100% reliable way to keep annoying actors off ad networks has not been invented yet


It's not that - it's that almost nobody at all on the side pushing the ads has shown any interest in even *trying* either of those things. 100% isn't just a high bar - it's closer to the inverse proportion.
posted by atbash at 11:49 AM on January 12, 2016 [4 favorites]


When I turn off uBlock to view a site at the site's request and I see notifications for eleventy-hundred trackers filling the uBlock icon before I've even completely loaded the site I know something's probably seriously wrong. Forbes' supposed "ad-lite" experience serves up >29 domains in that manner.
posted by blucevalo at 12:12 PM on January 12, 2016


The domains could force all the ad traffic through their servers and check for malware there. That would increase the effectiveness from 0% to 90%.
posted by BentFranklin at 12:21 PM on January 12, 2016


tehjoel: "I remember my first reaction to reading about Cayce Pollard's allergy to corporate logos/mascots and thinking that was exactly how I felt about advertising in all its forms. I've often wished I had an IRL Ad Block that would keep me in this magic ad-free bubble, no matter where I was or what I was doing."

Heh. My main machine is named Cayce.

Well, I was really loving me some Pihole on one of my machines, but then I started having weird DNS issues, so I had to sideline it for a while. It was nifty in that no site ever complained about adblocking then.

The streaming video crap really starches my shorts. I am on an AT&T DSL Pro line, which caps out at about 3 megabits. Your video ad is just going to chow down on my browsing experience, asshats.
posted by Samizdata at 1:10 PM on January 12, 2016


a 100% reliable way to keep malicious actors off ad networks has not been invented yet
a 100% reliable way to keep annoying actors off ad networks has not been invented yet


Only allow them to serve jpegs.
posted by ROU_Xenophobe at 1:32 PM on January 12, 2016 [3 favorites]


Yeah, the claim that ads just can't be served safely doesn't really hold water. Can there be a bug in an image processing library that allows malicious code execution? Yes. However, that situation is exceedingly rare, and is explicitly an error condition. This is in marked contrast to how ads are served currently, in which the ads are attached to full-fledged programming environments that intentionally allow for all sorts of power that the ad networks are abusing.

Even if malware pushers did respond by moving to more image-based exploits, a move to plain image only advertising would still knock out about 99.999% of malware (and basically all privacy-encroaching trackers, etc).
posted by tocts at 1:40 PM on January 12, 2016 [2 favorites]


As a very early user of the Opera browser (ca. '98) I got used to "if it won't load, it's broken and I don't need it."
I might have been wrong, but it's a useful habit and while everyone I knew was reformatting, I was just browsing.
If I just have to see something, I have a lovely collection of live discs with flash enabled and everything, and I even set one up (Porteus kiosk) that opens to facebook by default so that GF and visiting teens can do what they will.
Stress less.
posted by Alter Cocker at 1:47 PM on January 12, 2016


It's not that - it's that almost nobody at all on the side pushing the ads has shown any interest in even *trying* either of those things.

Yes they do, and they do do it. The problem is larger than "trying."

By "they" I mean the ad networks. I know socially some people who worked at a, let's call them "problematic," ad network, and they told me they spend a lot of resources on malware detection. One has spent time on an Ad Security organization (industry-side), so it's not like it's not something they think about.

The problem is that the technology that ad networks use to serve ads has evolved into a realtime-auction model where an ad is not selected (and served) until the page actually loads. In this process, a whole cycle of pricing, inventory, selection, and payment occurs in a split second.

This model also illustrates a gateway for customers of the ad network to have almost-unfettered access to your browser via javascript. In the split-second of the auction process, the ad network also has to endeavor to filter malicious code from the bytes they're serving hand over fist. This is a hard problem!

Of course, the counter to this is to limit what is served, but when you're talking about "Javascript," there is no easy way to filter or limit an entire language.
posted by rhizome at 1:50 PM on January 12, 2016 [2 favorites]


Of course, the counter to this is to limit what is served, but when you're talking about "Javascript," there is no easy way to filter or limit an entire language.

From an ad viewer's point of view, the server has no business serving javascript at all. Just serve jpegs. If absolutely required, have the ad server provide its own video player for the ads to use to play video.

(alternate option: people advertising on ad networks have to put up a hefty deposit and if they push malware, they forfeit it)
posted by BungaDunga at 2:07 PM on January 12, 2016 [1 favorite]


The Intelligence Orgs would be happy to pay any deposit, and they're pretty good at hiding their tracks.

Unwinding ad networks from Javascript is going to be a tough row to hoe.
posted by rhizome at 2:14 PM on January 12, 2016


<script type="javascript">
if(window.adCount > 0){
     alert('Nope nope nope');
     window.close();
}
</script>
posted by blue_beetle at 2:16 PM on January 12, 2016


And everyone was so happy getting rid of Flash...
posted by Artw at 2:21 PM on January 12, 2016


> * You could deliver malware in a static image if the browser's image rendering code has an exploitable bug in it, but that's pretty rare, usually not portable and takes a lot of work and smarts to actually exploit.

The very first iPhone jailbreak was based on an issue in libtiff, and at least one more jailbreak relied on libpng, so that's two widespread image-based exploits, and Pwn2Own is a contest based on exploiting web browsers. Image rendering code is a fairly popular target there.

Stagefright allows a remote attacker to perform remote code execution via Android's multimedia libraries, which the default web browser uses, though more worryingly, receiving an MMS would have been enough to be exploited.

Not disagreeing that it's harder to exploit image rendering code, but a black hat's malicious image ad in Forbes' ad network could have taken control of any Android device prior to 2015 that viewed their ad. That's a pretty large group of people, and there are probably a few moderately rich/powerful people in that group. Their emails (the messages, not the addresses) would be worth quite a lot to the right parties.

> ...build a new docker image, put chrome in it, and use that to browse pages...

Jessie Frazelle has just the post for you.
posted by fragmede at 2:39 PM on January 12, 2016 [4 favorites]


This line in the article caught my attention:
In 2015, some malicious sites began serving ads over HTTPS, making it much more difficult to identify their source or deconstruct the attack.
I am totally ignorant around these matters but I thought HTTPS was supposed to make things more secure. Also, I thought there was something about HTTPS meant a certain level of trust in the site. Now it seems that HTTPS makes things less secure and gives badness more hiding places. WTF?
posted by CCBC at 3:18 PM on January 12, 2016


How does adblock detection work? Would it pick up people who've just set a bunch of ad serving domain names to 127.0.0.1 in their .hosts?

Basically, you serve something that you expect to be recognised as an ad (it doesn't have to actually be an ad) and check if it loaded successfully. That's obviously not foolproof, but it gets you a good chunk of the way there. Some ad blockers work by altering the CSS to resize things to 0 x 0, so you'd have to check for that separately.

In the split-second of the auction process, the ad network also has to endeavor to filter malicious code from the bytes they're serving hand over fist. This is a hard problem!

As I understand it, the Google ad exchange does at least some rudimentary checking because you have to submit an ad for approval before you can bid with it. They can and do revoke their approvals, and if they can't always detect accidental bad submissions on the first try, I don't know how much confidence you should have in their detection of malware.
posted by hoyland at 3:43 PM on January 12, 2016


I just had a crazy thought, guys: it's theoretically possible that this kind of realtime-auctioned mega-volume so-transient-it-can't-even-begin-to-be-secured in-your-face obnoxious advertising is a bad business model that readers have no moral obligation to support. And maybe, just maybe, this is the shit-filled bed the ad industry has made for themselves, that they're now lying in.

If we all try hard enough, we might even be able to imagine that it's ultimately their problem to solve, probably by something so groundbreaking that it has yet to be conceived, like delivering a product that's not actively hostile to those who encounter it.
posted by tocts at 5:48 PM on January 12, 2016 [15 favorites]


I am totally ignorant around these matters but I thought HTTPS was supposed to make things more secure. Also, I thought there was something about HTTPS meant a certain level of trust in the site. Now it seems that HTTPS makes things less secure and gives badness more hiding places. WTF?

HTTPS protects against certain things, but not against others. Basically, it's meant to validate that you're actually talking to the server you are connecting to and prevent eavesdropping of the communication by third parties. That's it. There's nothing that prevents someone from creating https://malwareserver.com and sending malware to anyone who goes there.

The article was not specific about what the malicious sites were doing, but I imagine it was something like this: some companies have systems that actively check for malware by eavesdropping on people loading web pages. That only works if the web pages are not HTTPS. If a page with malware is HTTPS, these systems can't scan it, so it can get past them.

Now there are ways to make those malware scanners work with HTTPS, by basically telling your computer to trust them specifically and allow them to be "a man in the middle" for all your HTTPS requests, but comes with its own problems. Namely, now the server can see everything you send over HTTPS, not just malware, including login/passwords, credit card websites, online purchases, etc.
posted by cosmic.osmo at 8:31 PM on January 12, 2016 [2 favorites]


I'm in the process of setting up a thing on my home Linux box where I can build a new docker image, put chrome in it, and use that to browse pages that are either laden with javascript loads, or otherwise suspicious.

Is Docker robust enough if, say, some Russian zero-day ransomware ends up in the ad network? I thought it was essentially like a chroot jail; enough to compartmentalise polite applications cheaply, but no defence against malicious actors.

Having just built a new Linux box, and taking advantage of the fall in price of powerful CPUs and RAM, I have found myself able to afford to make VirtualBox VMs on a whim. I currently have one which is solely for being logged into Google and Facebook in (leaving my main browser there dissociated from my identity there), and am going to make one which will be used exclusively for online banking. When I find myself needing to switch off NoScript/uBlock for sketchy sites, that will also involve spawning a VM.
posted by acb at 3:02 AM on January 13, 2016 [1 favorite]


What about what about what about Ad Rights?
posted by iamck at 5:53 AM on January 13, 2016


I'm thinking of using Docker and a fresh browser each time (which is less intensive than setting up a whole new vm each time) partly to contain malware and partly to generate a new browser "identity" on each invocation - so cookies, local storage, web fonts and all will disappear with each new invocation.

Given that I'm running linux and in docker, any exploit would have to be tailored to exactly that setup in order to break out of the jail and that seems reasonably unlikely. I'm still experimenting to try to find a good way to set things up.
posted by Death and Gravity at 8:06 AM on January 13, 2016


Qubes OS is designed to make this sort of thing easy, and almost certainly more secure than Docker containers.
Qubes makes it so that multiple VMs running under a Type 1 hypervisor can be securely used as an integrated OS. For example, it puts all of your application windows on the same desktop with special colored borders indicating the trust levels of their respective VMs.
posted by BungaDunga at 11:40 AM on January 13, 2016 [1 favorite]


Here's how I see it:

If your content is good, I'm more than happy to pay a regular fee. I'm going to keep coming back to your site because I can generally count on you for a stream of engaging content. I paid for a Metafilter account (not monthly, but I would if there was an option!) and I pay for an LWN account (electing to pay more than the minimum, actually.)

If it's not consistently good, you might get the occasional pageview from me when someone links to it, but that's about it. I'm not going to pay if you try to block me for having an ad-blocker, I'll just say "screw it" and move on.

Now this model -- if everyone were to adopt it -- would absolutely *slay* sites like Forbes and other "platform" sites who rely on "broad but shallow" readership. It would help sites like Metafilter or LWN, which have a much more engaged audience.

I'm entirely OK with this.

What I'm not OK with is ads. So I won't be requesting or rendering any, thank you very much.

(If you do want my viewership but don't want to go for the first model, then make your site free and ad-free. You know, like web sites used to be! You can indeed run a high-traffic site on the cheap if you take a pass on the trendy multi-megabyte pages crammed full of pointless JS and huge images.)
posted by -1 at 4:22 PM on January 14, 2016 [1 favorite]


not monthly, but I would if there was an option

It is!
posted by BungaDunga at 5:26 PM on January 14, 2016


« Older “Uno,” forward Kent Bazemore said, “is always a...   |   quantified sneezes Newer »


This thread has been archived and is closed to new comments