Cryptowall being served by ads on major sites like BBC and NYT
March 16, 2016 1:07 PM   Subscribe

Ars Technica reports that the tainted ads may have exposed tens of thousands of people over the past 24 hours alone. According to a blog post published Monday by Trend Micro, the new campaign started last week when "Angler," a toolkit that sells exploits for Adobe Flash, Microsoft Silverlight, and other widely used Internet software, started pushing laced banner ads through a compromised ad network. Spiderlabs has found ads with more than 1200 lines of obfuscated code designed to slip past security software. Malwarebytes reports that the surge started this weekend, and includes sites like msn, nytimes, bbc, aol, my.xfinity, nfl, realtor.com, theweathernetwork.com, thehill, and newsweek. Affected networks included those owned by Google, AppNexis, AOL, and Rubicon.

If you use Internet Explorer, install AdblockPlus here, for Firefox, Chrome and Safari, Ublock Origin is here.
posted by SecretAgentSockpuppet (186 comments total) 50 users marked this as a favorite
 
Dear WIRED,

Here's the thing about ad blockers...

{screed redacted}

Sincerely,

sidereal

p.s. you assholes
posted by sidereal at 1:10 PM on March 16, 2016 [74 favorites]


This kind of exploit is going to keep happening. The most egregious cases involve PageFair, which offers a tool to publishers that circumvents ad blockers. They too have served malware, for instance at The Economist. Sometimes I think we ought to have civil liability for software security. A few lawsuits would help provide some consequences to sites that compromise tens of thousands of consumers this way.
posted by Nelson at 1:12 PM on March 16, 2016 [29 favorites]


next time we make an Internet, let's keep commercial activity off of it altogether. for-profit organizations are simply too slimy to be trusted around computers.
posted by You Can't Tip a Buick at 1:15 PM on March 16, 2016 [66 favorites]


uBlock Origin, folks. You can whitelist sites like Metafilter.
posted by Splunge at 1:16 PM on March 16, 2016 [16 favorites]


Thanks goodness for AdBlock and Linux.
posted by jgaiser at 1:17 PM on March 16, 2016 [8 favorites]


If Wired doesn't want me to read or share their articles, then I am happy to oblige.
posted by ckape at 1:21 PM on March 16, 2016 [15 favorites]


But but but you made us do it, by using your adblockers and your ghosteries and such. If you had only let us load 5 GB of ads for a 50 MB article page, we wouldn't have been forced to use slimy malware to infect your computer in order to get around your adblockers and ghosteries and such!
posted by Existential Dread at 1:22 PM on March 16, 2016 [24 favorites]


Oh good, it's time for yet another review of my security practices. Running a tiny one-family KGB is getting ridiculous.
posted by selfnoise at 1:25 PM on March 16, 2016 [78 favorites]


So.. if one *wasn't* running an ad blocker in the last week, and one *was* obsessively visiting various news sites (google news, and nytimes), how would one check to make sure one has not contracted something unfortunate?

One doesn't run microsoft silverlight because.. why would one do that? One also only has the Chrome version of flash.
posted by nat at 1:34 PM on March 16, 2016 [3 favorites]


A few lawsuits would help provide some consequences to sites that compromise tens of thousands of consumers this way.

OK, so where does the responsibility of the consumer come in? These attacks are mostly using exploits for vulnerabilities that have been patched by the vendors that the users haven't bothered to apply. Who do you propose should pay? The source of the exploitable software? The ad network? The site that was a victim of the infected ad? Who do you think was actually negligent rather than a victim of really smart and aggressive criminals? How exactly do you think they can and should have done better?

Writing secure code is hard (made easier today by modern languages, but huge parts of the underlying code was written in non-memory safe languages, and it will take a very long time to get out from under that) and getting people to keep systems up to date is hard. It's really easy to write rants about how advertising is evil and Microsoft/Apple/Google/Adobe are evil, and publishers are evil (and those comments surely get lots of favorites) but coming up with a solution that actually works at scale is really, really difficult.

People want content, it's provable that most people will not pay for it directly, and the world would be a worse place without journalism. The internet as benefits you and I and the world cannot exist without money, so if you have a real solution, please present it.

If you want an experiment to see how much of the web can exist without advertising, don't block ads, block the entire site for a week. There's lots of free content out there, sure, but the vast majority of what you want to read on a daily basis would go away. Content publishers don't love lots of ads, they don't like intrusive ads, they run them only because they're the only thing that keeps the servers on and the writers paid.
posted by Candleman at 1:34 PM on March 16, 2016 [12 favorites]


I succumbed to an adblock. When I hit sites that tell me I can unless I whitelist them I just ad the site to my hosts file and move on. Life is too short for shitty internet.
posted by cjorgensen at 1:35 PM on March 16, 2016 [2 favorites]


Sometimes I think we ought to have civil liability for software security.

They keep calling themselves software "engineers" though. I know this is an old gripe, but honestly.
posted by bonehead at 1:35 PM on March 16, 2016 [13 favorites]


they're the only thing that keeps the servers on and the writers paid.

Well, the servers on anyway.
posted by Naberius at 1:38 PM on March 16, 2016 [44 favorites]


(I actually did write a screed called "Here's the thing about shitting in my hat" but couldnt think of anywhere to post it. Looks like it'll write itself, now.)
posted by sidereal at 1:41 PM on March 16, 2016 [8 favorites]


Who do you propose should pay? The source of the exploitable software? The ad network? The site that was a victim of the infected ad? Who do you think was actually negligent rather than a victim of really smart and aggressive criminals? How exactly do you think they can and should have done better?

The site first-off, and if they want to go after the ad network, they can. Strict liability, none of this "But we couldn't have known to secure our site" business.

How should they have done better? By not including third-party executable code, and doubly-so by not reselling the slots in remainder auctions. Static HTML & first-party images only.
posted by CrystalDave at 1:44 PM on March 16, 2016 [30 favorites]


DONK DONK

tainted ads

(whoaaaa)

BA-DONK DONK

tainted ads

don't cryptolocker me, I can't stand the way you tease

DONK DONK
posted by boo_radley at 1:47 PM on March 16, 2016 [47 favorites]


> for Firefox, Chrome and Safari, Ublock Origin is here.

Minor warning: the original post is currently linking to regular uBlock, not the better uBlock Origin (by the original uBlock author who didn't like the direction its old project was taking and disowned the earlier versions).
posted by Bangaioh at 1:50 PM on March 16, 2016 [12 favorites]


<joke>Looks like AlphaGo came up with a new go move. Hang on, all of my phones are ringing at once, let me go check that... </joke>

uMatrix is a more sophisticated tool by the same guy who makes uBlock Origin that will block scripts, frames, etc. on a site-by-site basis. Might be useful for tightening up your browsing security if you've got the patience to be that specific.
posted by XMLicious at 1:51 PM on March 16, 2016 [4 favorites]


Mods you should really swap Bangaioh's link into the FPP as soon as possible
posted by XMLicious at 1:54 PM on March 16, 2016 [4 favorites]


> If you want an experiment to see how much of the web can exist without advertising, don't block ads, block the entire site for a week. There's lots of free content out there, sure, but the vast majority of what you want to read on a daily basis would go away. Content publishers don't love lots of ads, they don't like intrusive ads, they run them only because they're the only thing that keeps the servers on and the writers paid.

Certainly, the vast majority of what I read on the web would go away without advertising to support it — and if it went away, I'd be better off for it. The Internet content we spend so much time reading and writing is a good like heroin is a good — we may be hooked, but we'd be better off without.
posted by You Can't Tip a Buick at 1:55 PM on March 16, 2016 [9 favorites]


I always prefer "computerologist" to software engineer, but no one else seems to like it.
posted by Death and Gravity at 1:56 PM on March 16, 2016 [18 favorites]


Does anyone think something like this might be a bit like the TJ Maxx/Target attacks were for retailers? The sense I have now is that even the biggest, best known mags/news/content sites are so desperate to sell ad space they're allowing some really sleazy resellers access, without much oversight. Mostly I've heard complaints about this from the advertisers' end --- they're pretty sure they're paying for worthless bot-driven clicks/views --- but publishers haven't said dick because they're happy to have any source of additional clicks. But if people start ad blocking everything, could it make them perk up?
posted by Diablevert at 1:57 PM on March 16, 2016 [1 favorite]


Don't forget to install your AdBlock-Blocker Blocker!
posted by blue_beetle at 1:58 PM on March 16, 2016 [7 favorites]


I helped build Google AdWords, so I certainly can deliver the "ads are good and necessary" lecture with some intimacy. What makes me angry is the incompetence of the ad networks that consistently are serving malware to people. I can even sort of accept that is inevitable, but the on top of that PageFair is now deliberately circumventing my ad block security software, and then serving me malware. That seems like it should incur liability to me. (To be clear, PageFair isn't involved in this latest ad malware debacle; their failure was 4 months ago.)

As for who bears responsibility for the malware, I blame it primarily on the ad network that serves the actual malware bytes. In past attacks they have either had malware uploaded and served as legitimate ads, or else had their serving infrastructure hijacked to serve new stuff.
posted by Nelson at 1:59 PM on March 16, 2016 [19 favorites]


[Swapped.]
posted by cortex (staff) at 1:59 PM on March 16, 2016 [7 favorites]


I always prefer "computerologist" to software engineer,

I do like the similarity to phrenologist, which is at least more honest.
posted by Mrs. Davros at 2:00 PM on March 16, 2016 [3 favorites]


Content publishers don't love lots of ads, they don't like intrusive ads, they run them only because they're the only thing that keeps the servers on and the writers paid.

Oh, that's why they keeping showing pop over ads, pop under ads, pop up my ass ads. Because they don't like it.
posted by Foci for Analysis at 2:03 PM on March 16, 2016 [22 favorites]


It so happens that I have mail-order degrees in computerology and computeronomy!
posted by ckape at 2:06 PM on March 16, 2016 [21 favorites]


I uninstalled corel paint shop pro last night because the bastards serve ads in a system tray window from their automatic updater! Now that's a great attack vector...
posted by xiw at 2:08 PM on March 16, 2016 [1 favorite]


Unlike ublock, actually ublock origin is only for Firefox and Chrome, not for Safari. For Safari, Adguard does a good job and doesn’t slow down the browser.
posted by bitteschoen at 2:11 PM on March 16, 2016 [1 favorite]


Aww come on, you could hack into Jeep Cherokees over the internet a year ago. It's not just software engineers, it's engineers in general. Or really the PHBs who manage them, for that matter.
posted by XMLicious at 2:13 PM on March 16, 2016 [1 favorite]


It's not just software engineers, it's engineers in general

Tell ya what, first, pass the software equivalent of an S.E. exam, then go and buy some E&O insurance for software "engineering" and then I'll call it engineering.
posted by aramaic at 2:18 PM on March 16, 2016 [18 favorites]


IIRC the industry got special dispensation back in the early '80s so that we couldn't sue them when our shiny pc burped and we lost a week's work in a microsecond.
To "kickstart the tech" they said.
Never revisited or reviewed and now enshrined as case law, guess it 's kicking back.
This is really the American way; we like innovation so much we don't want to regulate any thing until it's a real problem, and then it's too late.
Examples started at least with the railroads.
posted by Alter Cocker at 2:26 PM on March 16, 2016 [4 favorites]


Is CryptoPrevent effective against this latest strain? Where does it try to execute from? (On the go and can't read TFA)
posted by snuffleupagus at 2:28 PM on March 16, 2016


Isn't AdBlock Plus the really shitty one that lets companies get whitelisted if they pay cash?
posted by koeselitz at 2:30 PM on March 16, 2016


>DONK DONK

Okay, smart guy, you got something ELSE I can sing to get that out of my head?
posted by Sing Or Swim at 2:33 PM on March 16, 2016 [4 favorites]


Has anyone checked out those Deck ads? Serious question - I think it's appropriate to ask at this point.
posted by sidereal at 2:35 PM on March 16, 2016 [2 favorites]


Hell, what we need is a building code for software. I can't remove a skylight without a license, permit and two inspections, but we're supposed to just trust that the people writing the code that pretty much defines our whole modern lives to just do everything correctly, even in the face of constant failures? There oughta be some kind of standards and third-party oversight before programs are allowed out into the wild.
posted by Anticipation Of A New Lover's Arrival, The at 2:37 PM on March 16, 2016 [21 favorites]


What makes me angry is the incompetence of the ad networks

Don't forget their greed and willingness to shaft any and all in search of an easy buck.

I know why publishers abdicated responsibility for what the advertising on their sites is and does, but this is why things are where they are. They won't get better until that changes, and strict liability is one way of moving in that direction. It'll kill a lot of the industry, but nearly all of the shittiness.
posted by Devonian at 2:39 PM on March 16, 2016 [4 favorites]


"Oh, that's why they keeping showing pop over ads, pop under ads, pop up my ass ads. Because they don't like it."

An ongoing fight at my old job was that pop-over ads for non-profits are one of the few things that work for getting people to subscribe to your stuff. But they make the internet and world worse. But they work. But they make everything shit and I hate them.

My solution, to have good content that people wanted to engage in, was deemed infeasible.
posted by klangklangston at 2:42 PM on March 16, 2016 [18 favorites]


Isn't AdBlock Plus the really shitty one that lets companies get whitelisted if they pay cash?

Yes. They had an Acceptable Ads category since 2011. I actually liked it when it started out because I liked the idea of pressuring advertisers into only showing text or static ads. And then they started whitelisting any company who'd pay up. They whitelisted Taboola for example. That's when I stopped using them and switched to uBlock Origin.
posted by dragoon at 2:46 PM on March 16, 2016 [10 favorites]


Hell, what we need is a building code for software.

The problem is that it's less engineering than an art. There aren't straightforward, unambiguous ways to write or even completely test code to solve a given set of client problems, as there are with turbines or air conditioners or even buildings. There are no ASTM or SAE or IEEE standards to apply or to hold software up to, none of the normal machinery that engineers actually use. And there's almost certainly no underwriter who would give liability insurance on a general-purpose piece of software.
posted by bonehead at 2:47 PM on March 16, 2016 [19 favorites]


There oughta be some kind of standards and third-party oversight before programs are allowed out into the wild.

We'd need some kind of professional trade organization for developers like a guild or union to get any standards like that not written by some moron who thinks they "get" the internet because it's been explained to them as like a series of tubes. And you know what happens to people who even speculate too enthsiastically about labor organization being good for anything in a country where free speech is as important as it is in America...
posted by saulgoodman at 2:49 PM on March 16, 2016 [2 favorites]


I'm a lazy bastard so I just use the Adblock extension on Chrome (note, not Adblock Plus). I figure if it's enough to piss off Slate and Wired every time I open up their pages, it must be doing something right.
posted by Ber at 2:52 PM on March 16, 2016 [1 favorite]


A really effective, organized software engineer's guild, one with the ability to enforce who can and cannot write software, would immediately become one of the most powerful organizations in the world. It wouldn't be a guild like the old medieval guilds, it would be a guild like the Spacing Guild in Dune.
posted by You Can't Tip a Buick at 2:54 PM on March 16, 2016 [27 favorites]


I also use Ghostery for Chrome, not sure if that helps against this shit though.
posted by Brocktoon at 2:56 PM on March 16, 2016 [2 favorites]


There oughta be some kind of standards and third-party oversight before programs are allowed out into the wild.

For certain kinds of programs, this already exists implicitly (e.g. healthcare and aerospace) becasue of liability concerns, but to apply this generally would freeze out open source software. Anybody who thinks that this is a good thing to apply generally doesn't really know much about software.
posted by smidgen at 3:04 PM on March 16, 2016 [12 favorites]


Sometimes I think we ought to have civil liability for software security.

I could get behind making software engineers finally earn the engineering part of their title.
posted by a lungful of dragon at 3:05 PM on March 16, 2016 [1 favorite]


SecretAgentSockpuppet: Thanks for this post!

I have come to hate the retail internet; I wish there was a separate one for grown-ups.

I did not know about uBlock Origin, but it's up and running now. Thanks for the tip!
posted by cool breeze at 3:05 PM on March 16, 2016 [5 favorites]


My life has been a lot less stress full at home since we've started using ublock origin (not uBlock which seems to have died). Turning off flash and java in all our browsers seems to have made a big difference too. Honestly, ditching the whole plug-in system seems to be the best idea at this point.
posted by bonehead at 3:09 PM on March 16, 2016


If you have software engineers, you still have the problem of places that only hire programmers to save money.

If you have a software guild or some sort of mandatory licensure, congratulations on pulling the ladder up on one of the last middle class jobs that doesn't require a degree. "Everyone a programmer" isn't a great idea, but "no programming for you, pleb" is a hell of a lot worse.

I have severe problems with the term 'software engineer' as used, but saying that people can't have general computation is pretty terrible.
posted by The Gaffer at 3:11 PM on March 16, 2016 [22 favorites]


Running browsing sessions in throwaway VMs is looking better all the time. At least whatever malware gets through your other defenses would also have to include a VM escape exploit to do any real damage.

The uMatrix recommendation upthread is great, btw. I used it to replace NoScript and not only is it more granular (you control exactly which hosts may do what for each domain you visit) it's much, much faster. Like, Google Maps no longer pegs my CPU to 100% faster. If you're on a platform like Android where uMatrix is not available, the dynamic filtering feature in uBlock Origin is almost as good, though not quite as granular.
posted by indubitable at 3:12 PM on March 16, 2016 [7 favorites]


>DONK DONK

Okay, smart guy, you got something ELSE I can sing to get that out of my head?
posted by Sing Or Swim at 2:33 PM on March 16 [1 favorite +] [!]

watch old episodes of Law & Order until DONK DONK doesn't mean tainted love anymore.
posted by You Can't Tip a Buick at 3:12 PM on March 16, 2016 [26 favorites]


Turning off flash and java in all our browsers seems to have made a big difference too. Honestly, ditching the whole plug-in system seems to be the best idea at this point.

Oh wow, yeah. I never installed a Java plugin and I uninstalled Flash a year ago. At this point, if I come across something that ABSOLUTELY REQUIRES Flash, I just ignore it and move on. The Internet is too big a place to risk the security nightmare of Flash to access one tiny slice. So far, that hasn't included anything show-stopping important like health insurance, so I've been lucky.
posted by indubitable at 3:18 PM on March 16, 2016


Actually software is far far too subtle for human political systems to wisely regulate. Any software engineers guild would be an unmitigated disaster within a decade.

Imagine if we could ignore all the evil fuckers in the software world by say giving only Debian developers the power to determine if a piece of software incurred liability or not. I'll point out that Debian's default XMPP client Empathy has taken a firm stand against OtR encryption, basically because it'd mess up their pretty little IPC model. In other words, these otherwise highly ethical developers are still overtly supporting mass surveillance. Idiots.

Just fyi, Subgraph OS is the new secure operating system hotness, btw. It's less VMed than Qubes OS but infinitely more usable, like cut & paste actually works. And Subgraph has put serious work into curating application security for stuff like email, XMPP, etc. As opposed to just declaring victory when they spin up a VM.
posted by jeffburdges at 3:18 PM on March 16, 2016 [3 favorites]


go and buy some E&O insurance for software "engineering" and then I'll call it engineering

Errors & omissions insurance is not really hard to obtain for a programmer. I don't really think of myself as an engineer, except maybe in the Montgomery Scott sense, but I do have a policy. It's not even that expensive.

I think it'll take some sort of fundamental paradigm shift in technique or something along those lines before we're even in the neighborhood of being able to seriously discuss certifying software developers as engineers. Right now, we're in the barbers-perform-surgery phase of the profession's evolution.
posted by feloniousmonk at 3:24 PM on March 16, 2016 [13 favorites]


"next time we make an Internet, let's keep commercial activity off of it altogether. "

I remember the first banner ad I saw on the internet, probably on one of the search engines, my words were, and I quote, "This is not a good idea."

Once again I was right... OK... that one time I was right...
posted by HuronBob at 3:24 PM on March 16, 2016 [7 favorites]


I think strict liability for any company that holds software patents might be fun, too.
posted by Devonian at 3:31 PM on March 16, 2016 [1 favorite]


I can't stop getting infected because it is entirely too entertaining to keep playing all the time
posted by dorian at 3:33 PM on March 16, 2016 [1 favorite]


I do think just the web could perhaps be partially regulated in tandem with hardware sales.

We could make computer retailers liable for vulnerabilities in the default web browser that ships with the machine. Apple would for example be liable if Safari's default configuration allowed any sort of tracking cookies, cross site scripting vulnerabilities, etc.

We'd just ship all new computers with ultra-hardened browsers based on Mozilla's awesome Servo project. And users would be told to install an insecure fun browser like Safari, IE, Chrome, etc. in a sandbox.
posted by jeffburdges at 3:36 PM on March 16, 2016 [2 favorites]


but, yeah, ads are a serious, major vector.
I don't worry too much 'cos

a. lunix
2. chromium built-in sandbox
vi. ghostery
9. scriptsafe

WHY IS THIS MY RESPONSATILITY?
posted by dorian at 3:41 PM on March 16, 2016 [3 favorites]


I don't really think liability for software is workable in general, I mostly threw it out as a strawman. And out of ire for things like PageFair that are deliberately circumventing security protection, that to me suggests elevated liability. In general though I think software is way too much of an art, and changing way too fast, to benefit from being shackled to a licensing and insurance regime.
posted by Nelson at 3:42 PM on March 16, 2016 [2 favorites]


WHY IS THIS MY RESPONSATILITY?
posted by dorian at 3:41 PM on March 16 [+] [!]


because everything is awful, a lie, or an awful lie.

if you want to know what the inside of my mind looks like, take the crankiest parts of adorno and the weirdest, most apocalyptic parts of baudrillard, blend them all up together, and then drop in just a dash of holden caulfield.
posted by You Can't Tip a Buick at 3:45 PM on March 16, 2016 [5 favorites]


1. Software systems are far too complex to ever be completely, provably secure.
2. Bad guys have huge incentives to find and exploit vulnerabilities.
3. Uh, how much did you pay, or how much would you pay, for your browser?
posted by DarkForest at 3:46 PM on March 16, 2016 [10 favorites]


I remember the first banner ad I saw on the internet, probably on one of the search engines, my words were, and I quote, "This is not a good idea."

have you ever had your computer owned just by viewing a banner ad?
you will.

(and att will bring it to you)
posted by entropicamericana at 3:50 PM on March 16, 2016 [3 favorites]


Actually the E.U. Data Protection Directive already forces websites to notify users of tracking. It's interesting this regulation fell upon websites rather than browser venders, probably Microsoft and Google spent some major lobbying $ on that.

I recently submitted a criticism of the W3C Verifiable Claims project which noted that violating the same origin policy like they plan on doing clearly falls under the EU DPD and therefore might expose the browser venders to greater regulation.
posted by jeffburdges at 3:50 PM on March 16, 2016 [2 favorites]


Isn't all this talk of liability of code and engineering moot in this case though? It's not about the fact that the code is vulnerable, it's the fact that the ad networks, and then the websites in turn, allowed a bad actor into their network.

There's no difference between this and hiring contractors. If I work for company A that hires through company B to hire a contractor to do X work. If that contractor does something bad, I'm responsible. And as such, I made sure when I signed a contract with company B that they are also responsible. This means that company B is a lot more selective in who they choose to be their contractors.


It doesn't matter who's liable for the vulnerability of the code, it matters who's liable for serving bad content. It's not unreasonable to ask companies to make sure the partners they are hosting aren't bad actors and to review the code before they push it onto their networks.
posted by mayonnaises at 3:52 PM on March 16, 2016 [3 favorites]


give me 1990s usenet and early-2000s irc and I would gladly forego all web browsing altogether.

as a place for making tight-knit groups of weird fun friends, early internet was wonderful. as a method for mediating all social activity altogether, modernweb is garbage.
posted by You Can't Tip a Buick at 3:52 PM on March 16, 2016 [39 favorites]


Everything's a disaster and every proposed solution will just be a bigger disaster, but... something, something... It's all good, eh? We just need more disruptification and it'll all sort itself out. (Sorry if I seem bitter. Got hit by a bunch of bogus bank charges recently. Seems to be a never ending battle to catch all the little nickle and dime scammers these days, on top of scams like this.)
posted by saulgoodman at 3:54 PM on March 16, 2016 [2 favorites]


you have no idea how many friends and enemies ?and I guess frenemies? I have from USENET. the intarwebs have become vaguely more complicated these days :(
posted by dorian at 3:55 PM on March 16, 2016 [3 favorites]


Hell, what we need is a building code for software. I can't remove a skylight without a license, permit and two inspections, but we're supposed to just trust that the people writing the code that pretty much defines our whole modern lives to just do everything correctly, even in the face of constant failures?

Don't trust that people writing the code do everything correctly. It is theoretically impossible to prove that complex software is bug-free. It pretty much guaranteed that software will have flaws. Make backups of your data. Use different passwords at different places, to limit the damage done when one place fucks up.

There oughta be some kind of standards and third-party oversight before programs are allowed out into the wild.

You mean like the "walled garden" approach that iOS and video game consoles take? I guess those systems are less malware prone, so that's good. However, those policies aren't very friendly to free software (someone's gotta pay for the certification process), and they limit the control you have over your own devices.

Sometimes I think we ought to have civil liability for software security.

Most of the internet is built on free software, the web server, the browser, the database, the packet routing, even the compilers and interpreters. If everyone who used my software could sue me if it failed, who could ever afford to distribute free software?

I am aware of one type of software that regularly has this kind of liability. Makers of gambling machines are liable for erroneous payouts. I'm not sure if that's a legal requirement, or just something that's necessary to convince the casinos to use them. This approach might not be viable for software with more complex needs or for software that doesn't basically print money for its owners.

A really effective, organized, software engineer's guild, one with the ability to enforce who can and cannot write software

Haha, good luck even defining what does or does not constitute writing software. Is it writing a static web page? What if the page has a dropdown menu? Is showing one thing if they're on a phone but another if they're on a computer writing software? Is writing a complex regex for your ad blocker whitelist? Is making a logic gate in Minecraft writing software? Is making a web browser in Minecraft writing software?

I don't know what the solution is. There's lots of things individual users can do to make things better, like disable flash, or install adblocking software. There's lots of things individual software developers can do, like try really really hard. But those are ... limited in their effectiveness by who's motivated. But I don't see any way a single system-wide change can fix this either. It's a fucking mess.
posted by aubilenon at 3:57 PM on March 16, 2016 [8 favorites]


NYT got paid to distribute malware. They should surely be held responsible for damages. Also, there should be criminal charges for violations of CFAA.
posted by BentFranklin at 3:59 PM on March 16, 2016 [3 favorites]


I think the days of the Internet as it currently exists are numbered. As more people actively distrust and block ads, revenue will drop and ad-supported content will continue to shrivel and dry up. Content will increasingly either be funded as not-for-profit (like, say, Wikipedia) or things you pay for in advance (say, the New York Times). It will be increasingly consumed not in traditional websites but in custom apps. Websites will exist in a few categories - corporate websites, cause-oriented websites, projects like Wikipedia, and of course websites that sell stuff. But content will be paid for, whether that's through subscribing to YouTubeRed (content network), or supporting the creator on Patreon (crowdfunding), or direct subscriptions to content services. I mean, we're heading well in that direction, but I think it's going to be increasingly radical.

There will be more walled garden effects; there are a lot of ways that this could go. Probably the most interesting things will be how Facebook monetizes itself and what Google does as the ad revenues dry up.
posted by graymouser at 4:02 PM on March 16, 2016 [1 favorite]


[mega consolidated response]

@Nelson:
What makes me angry is the incompetence of the ad networks that consistently are serving malware to people.

Most ad networks aren't consistently serving malware. The fact that this is notable is proof of that; there's just a lot of web browsing going on and a lot of ads, so when an attack does get through, it can have a big impact. This was a sophisticated attack - they looked for an expired domain which was a valid advertiser (most likely) whose old domain was used to host a redirect to the sites hosting fairly sophisticated attack code. This isn't something that teenagers do for lulz, this is a serious criminal enterprise.
Our suspicions grew further when de-obfuscation of the script revealed that it tries to enumerate the following list of security products and tools in order to filter out security researchers and users with protections that would prevent exploitation
Having worked on AdWords, you also probably know the financial reasons why companies have moved to dynamic ads.

on top of that PageFair is now deliberately circumventing my ad block security software

Ad blocking isn't security software. They didn't kill your antivirus, they showed ads you didn't want to see.

In past attacks they have either had malware uploaded and served as legitimate ads, or else had their serving infrastructure hijacked to serve new stuff.

This is exactly the same type of attack that I have specific experience trying to prevent and it's been going on for years. (The 2007 ISC post naming it malvertising specifically mentions the use of driveby downloading from an unrelated site.) All they have to do is get the browser to go to an arbitrary server (or more likely, a chain of servers) through some form of redirect and execute javascript. Unless someone can make entirely HTML ads profitable again, it's going to continue to be a risk.

At the core of it, the whole concept that browsers will happily execute javascript from whatever site happens to send it some is utterly crazy from a security perspective, but it's what makes the modern WWW work, and as anyone that's used NoScript will tell you, trying to whitelist only the "good' sites is a tremendous amount of work. Ultimately, we'll get deeper and deeper layers of sandboxing that will cut down on the effectiveness of this sort of thing, but we're not there yet.

@CrystalDave:
The site first-off

OK, so you're positing that no site that relies on ads should be able to exist without having sufficient software, server, and network security knowledge to evaluate the security posture of their ad provider(s)? What percentage of the sites you go to have that level of knowledge or can afford to hire someone that does? Is a world where medium sized sites (the ones whose costs are higher than what can be done as a hobby) can't afford to exist out off fear of being sued because they chose the wrong ad provider (when all they wanted to do was provide a resource for people that enjoy crochet or whatever) a good world?

Let's say someone hacked The DECK and Metafilter started linking to a site that served malware. Who at Metafilter do you think is personally responsible on a day to day basis for making sure that doesn't happen and what process do you think they use to do so?

There's also a massive chilling effect, because ads are just links to other sites, and if sites start being held responsible for what they link to serving malware, where does it end? If I find defunct domains that Metafilter has linked to in the past, buy them, and serve malware to people browsing old posts, is Metafilter liable?

Static HTML & first-party images only.

If that was still enough to be profitable, it's what the market leaders would be doing. The overhead costs of that is next to nothing - if it were workable, basic adwords would be Google's primary product.

But let's say you got your wish and that static HTML links to a malware server that 99.999% of the time serves up an innocuous page and 0.001% of the time served up malware. Who is responsible?

I note that you don't bother to respond to the issue of people not patching their software, so let's move it into the physical world for a moment. Take that Toyota issue that caused cars to accelerate... Let's suppose it could be triggered with 100% reliability by an external source. Toyota has issued a fix for it. The fix is free. They're putting out alerts, they're begging you to install it. There's a little notice on your dashboard telling you that there's an urgent update that really needs to get applied. You choose not to apply it. You continue driving it for months. At what point does the liability shift from Toyota to you?

@Diablevert:
But if people start ad blocking everything, could it make them perk up?

They're already starting to work around that by making plans to proxy ad content as if it were coming from the content provider. Though that will have the pleasant consequence of cutting down on some of the worst malvertising vectors.

@nat:
One doesn't run microsoft silverlight because.. why would one do that?

Silverlight is mostly installed because Netflix used it. To your question on whether you've been infected, the reports indicate that it was being used to serve cryptolocking malware, so if you'd been hit you'd already know. That said, it's a good reminder to make sure that you have recent offline backups of everything important (not just for security reasons). If you were using Chrome and had restarted when the hamburger bar went red last week (or have plugins set to only run on demand), I believe you'd have already been patched (or default denied) for everything they were using as an exploit, but I've not read that deeply into which exploits they were using.

@Foci for Analysis:
that's why they keeping showing pop over ads, pop under ads, pop up my ass ads. Because they don't like it.

Users hate them. If they didn't get more value from having them than not having them, they wouldn't, because their competition that didn't use them would outperform them with users. Big sites do A/B testing of users to measure both whether they stick around/come back and the performance of the ads.

@You Can't Tip a Buick:
Certainly, the vast majority of what I read on the web would go away without advertising to support it — and if it went away, I'd be better off for it.

Then I challenge you to do it for a week or a month and report back. It would actually make an interesting FPP.

@Anticipation Of A New Lover's Arrival, The:
what we need is a building code for software.

The problem is that proving software is secure is tremendously more difficult than a physical structure, because code running (as we currently use most computers) can modify itself while running (sometimes by design, sometimes by defect). At the point that there is an infinite number of possibilities for what the code will do, which is true for things like Turing complete languages such as javascript, it becomes impossible to evaluate whether each possible branch is safe or not, because the rabbit hole just keeps going. If you want a more hard core explanation, I like this Langsec video.

It would certainly also kill off the feasibility of open source software, which everyone reading this uses millions if not billions of times a day, perhaps without even realizing it. Inexpensive and ubiquitous computing is made possible by such software and other than internet addiction has led to a lot of improvements in first world people's lives.
posted by Candleman at 4:03 PM on March 16, 2016 [16 favorites]


3. Uh, how much did you pay, or how much would you pay, for your browser?

I don't know how much of the cost of my Mac or my iPhone is accounted for by the Safari development team but I assure you I paid for my browser.
posted by ejs at 4:13 PM on March 16, 2016 [7 favorites]


A software engineer guild/licensing procedure? Yes please, as long as I get to be on the inside. If this also normalizes and enables a "Fuck you, you can't have this by tomorrow/for cheap/according to your fucked-up specs" attitude, the good times will just keep on rolling. Sucks for everybody else though.
posted by Dr Dracator at 4:17 PM on March 16, 2016 [4 favorites]


no site that relies on ads should be able to exist without having sufficient software, server, and network security knowledge to evaluate the security posture of their ad provider(s)?
No, I'm positing that they're taking a risk, and sometimes they get burned. This could be mitigated through their own security, or through changes to contracts with ad sites which more clearly define liability between the parties.

What percentage of the sites you go to have that level of knowledge or can afford to hire someone that does? Is a world where medium sized sites (the ones whose costs are higher than what can be done as a hobby) can't afford to exist out of fear of being sued because they chose the wrong ad provider (when all they wanted to do was provide a resource for people that enjoy crochet or whatever) a good world?
The business models of sites which survive by taking a risk on what they have users execute in their name really aren't any of my concern.

ads are just links to other sites, and if sites start being held responsible for what they link to serving malware, where does it end?
Wrong. If ads were just links, we wouldn't have the issue in the FPP. They're *executable code*, which includes links. They're making a claim that the code is safe to run. If the burden of protection was supposed to be browser/user-side, then we'd be seeing more browsers with third-party script blocking built-in.

If that was still enough to be profitable, it's what the market leaders would be doing.
Again, why are you assuming that someone else's business model is my responsibility? They didn't ask me. They didn't put a barrier up saying "By accessing this site you agree to run all code we present and view all images presented" before I started loading the page.

I note that you don't bother to respond to the issue of people not patching their software, so let's move it into the physical world for a moment.
Let's not. Analogies are by their nature imperfect and often deceptive things. A phone is not a car is not a browser is not a locksmith.

Users hate them. If they didn't get more value from having them than not having them, they wouldn't, because their competition that didn't use them would outperform them with users. Big sites do A/B testing of users to measure both whether they stick around/come back and the performance of the ads.
However, sites which aren't big enough to do their A/B testing in-house (And very few are that big, in my experience) also get the A/B testing scripts blocked, so this is irrelevant. Your metrics are flawed.
posted by CrystalDave at 4:19 PM on March 16, 2016 [3 favorites]


> > Certainly, the vast majority of what I read on the web would go away without advertising to support it — and if it went away, I'd be better off for it.

> Then I challenge you to do it for a week or a month and report back. It would actually make an interesting FPP.


Internet diet articles were a big thing a few years ago, but I just don't think they draw eyeballs anymore.
posted by You Can't Tip a Buick at 4:20 PM on March 16, 2016 [3 favorites]


Arguably, you paid for sparkles and glitter by buying Apple though, ejs. If you'd wanted security, then you'd be running an operating system that makes security a higher priority, like Subgraph OS, Qubes OS, Whonix, or Tails.
posted by jeffburdges at 4:21 PM on March 16, 2016


you paid for sparkles and glitter by buying Apple

* eye roll *
posted by sandettie light vessel automatic at 4:26 PM on March 16, 2016 [34 favorites]


Just to clarify, I linked to the section of Wikipedia that discussed the uBlock Origin vs. uBlock because I wanted to highlight the separation of the two versions.
posted by Splunge at 4:27 PM on March 16, 2016


> no site that relies on ads should be able to exist

I agree.

I don't see ads on metafilter; I dunno if that's the work of my adblockers or due to being logged in all the time (it's the latter, right?). every so often (not as often as I should), I throw the site some money when I think I'm causing the mods too much trouble or when I get a particularly strong warm fuzzy off of a thread or when I otherwise feel compelled to support this place.

The tightly enforced policy against self-promotion is the main thing that keeps me infesting this site rather than any other. I think the Internet is better at community than at content, and I also think that tightly enforced anti-self-promotion rules are the sine qua non for effective communities. I wish it were possible for mefi's utopian no-self-promotion bubble could exist without the need to feed ads to the lurkers, but, well, such is life.
posted by You Can't Tip a Buick at 4:30 PM on March 16, 2016 [2 favorites]


Anticipation Of A New Lover's Arrival, The: "Hell, what we need is a building code for software. I can't remove a skylight without a license, permit and two inspections, but we're supposed to just trust that the people writing the code that pretty much defines our whole modern lives to just do everything correctly, even in the face of constant failures? There oughta be some kind of standards and third-party oversight before programs are allowed out into the wild."

Oh dear Christ that is a million times more horrific than the concern of malware. It is so so so bad an idea in so many utter ways... Including with general computer security, the difficulty of programming in general, the need for free and open software and other such things.

Like - is this serious?
posted by symbioid at 4:32 PM on March 16, 2016 [3 favorites]


The first step in regulating secure software is testing that any program will halt. Solve that, and I'm on board.
posted by The Gaffer at 4:42 PM on March 16, 2016 [15 favorites]


Although this batch doesn't explicitly attack linux, I just discovered firejail which simplifies sandboxing applications on linux.

I run uBlock with a default-deny rule for 3rd-party javascript and frames. Yes, it "breaks" many sites (usually improving them by hiding facebook and disqus comments, which will grind any page with whole seconds of stupid), but it gives me a list of exactly which 3rd-party sites are blocked. Yes, that's an additional bother, but I think it's worthwhile.
posted by CBrachyrhynchos at 4:46 PM on March 16, 2016 [5 favorites]


Candleman: "The problem is that proving software is secure is tremendously more difficult than a physical structure, because code running (as we currently use most computers) can modify itself while running (sometimes by design, sometimes by defect). At the point that there is an infinite number of possibilities for what the code will do, which is true for things like Turing complete languages such as javascript, it becomes impossible to evaluate whether each possible branch is safe or not, because the rabbit hole just keeps going. If you want a more hard core explanation, I like this Langsec video."

Yeah - like - that reminds me of the Ken Thompson (the guy who invented Unix) and his "Reflections on Trusting Trust" a seminal talk on just how utterly difficult trust is when it comes to programming.
The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect.
posted by symbioid at 4:46 PM on March 16, 2016 [6 favorites]


> no site that relies on ads should be able to exist

I agree.

I don't see ads on metafilter
And like that, *poof*, they disappeared into the ether.

Some guy named Matt blogs about ads on some site

I mean, come on, either you *truly* believe that no site that uses ads should exist and should leave Metafilter or you're just spouting nonsense. It's well known that Metafilter uses ads, it's been mentioned repeatedly in this post, been FPPed, in the discussions that led to the creation of the "I fund Metafilter" donations that you use... that you may or may not block them is immaterial, the site you're fundamentally addicted to cannot exist as it does without ads.
posted by Candleman at 4:50 PM on March 16, 2016 [2 favorites]


Sometimes I think we ought to have civil liability for software security.

Our Congress is backing bipartisan legislation that would penalize companies that add too much security to their products. So there's that too.
posted by RobotVoodooPower at 5:07 PM on March 16, 2016 [6 favorites]


In light of this incident, I've been reevaluating my defenses. Is there a meaningful alternative to ScriptSafe, Ghostery, et al., that doesn't involve multiple reloads and endless frustration when trying to look at videos? Perhaps a combination of Disconnect and Privacy Badger?
posted by ob1quixote at 5:08 PM on March 16, 2016


Anyone who thinks Apple doesn't take security seriously should probably Google "Apple FBI" right about now, or look into what caused that spate of "ad blockers will kill the Internet" articles last year.

(So as not to derail this thread into an OS argument I am ad-blocking myself from further participation)
posted by ejs at 5:09 PM on March 16, 2016 [3 favorites]


For the record, MeFi is one of the handful of sites I allow to serve me ads, and what The Deck shows has consistently been very worthwhile. I can't count the number of times I've found out about a useful piece of software from an ad on MeFi that I immediately forwarded to my business partner.
posted by ob1quixote at 5:10 PM on March 16, 2016 [5 favorites]


So: firing up a browser that I don't normally use, it seems the way it works here is that if you've got an account, the ads via the deck come complete with a button labeled "hide" — I clicked that button so long ago I forgot the site even tried to show ads to members.

I'd like to note, though, that there is no contradiction involved in using a site that you believe shouldn't exist. We have to Internet with the Internet we have, after all, not the Internet we want. In this case, we have a funny little bubble of utopian adless 90sweb for the insiders, supported largely by ad revenue generated off of outsiders.

I mean there's an element of "fuck you I got mine" to finding this situation tolerable, certainly, but currently it's one of the least-intolerable ways to do community on the web.

If Metafilter collapsed due to all users refusing to display ads, I would be at a loss for what to do with my down time, but I wouldn't be fundamentally heartbroken (and I'd probably be better off on the whole).

Real talk, though: it would probably be better for me (and for most other people who post a lot here) to get the thing we're getting from metafilter (smart funny conversation with people you recognize) from other places than the Internet.
posted by You Can't Tip a Buick at 5:12 PM on March 16, 2016 [5 favorites]


also, having for the first time in years clicked around a bunch of my favorite sites using a non-adblocked browser, good lord but the (unfiltered) Internet is ugly these days.
posted by You Can't Tip a Buick at 5:16 PM on March 16, 2016 [9 favorites]


yes but nobody i know irl wants to discuss the lateral stability of mid-century american automobiles
posted by indubitable at 5:23 PM on March 16, 2016 [6 favorites]


well, there's no use discussing that. everyone already knows the answer.
posted by You Can't Tip a Buick at 5:23 PM on March 16, 2016 [4 favorites]


see? these are the hard hitting opinions that i'm here for
posted by indubitable at 5:25 PM on March 16, 2016 [3 favorites]


And as many other commenters have said, *this* sort of thing is why I use an ad-blocker.
posted by 43rdAnd9th at 5:28 PM on March 16, 2016


In this case, we have a funny little bubble of utopian adless 90sweb for the insiders, supported largely by ad revenue generated off of outsiders.

I dunno about use patterns by insiders and outsiders but I have ads whitelisted on exactly two sites and this is one of them. But then I could count on one hand the number of times I've clicked on an ad here so...

Really it would make 10x more sense for me just to donate money.
posted by atoxyl at 5:29 PM on March 16, 2016 [1 favorite]


MetaFilter: there's an element of "fuck you I got mine"
posted by Candleman at 5:31 PM on March 16, 2016 [3 favorites]


OK, so where does the responsibility of the consumer come in?

I feel like my responsibility ends somewhere around the point when I've paid the monthly fee to my Internet provider (I'm careful about the sites my family visits, we all run uBlock, etc.). Every month around now my provider sends me a series of emails with titles like, "You have used 95% of your data allotment!!", or "You have Exceeded your monthly data limit!!" and finally "You're putting our kids through university. Thank you." Now my Internet is already way more expensive than it needs to be.

But that got me thinking about the good old days when one of the arguments against various kinds of spam was "Why should I pay so you can use my account to send your proprietary messages?" We should revisit that idea, because I think people could appreciate that this is outright theft by ad networks.
posted by sneebler at 5:32 PM on March 16, 2016 [1 favorite]


Ad blocking isn't security software.

I think that's demonstrably false. My casual observation is there's one significant ad network malware incident a month now. Blocking untrustworthy ad code from loading and running is a security measure.
posted by Nelson at 5:41 PM on March 16, 2016 [33 favorites]


> Is there a meaningful alternative to ScriptSafe, Ghostery, et al., that doesn't involve multiple reloads and endless frustration when trying to look at videos? Perhaps a combination of Disconnect and Privacy Badger?

Nope, you'll always have to manually unbreak sites, and it'll likely get even worse what with the ever-increasing page bloat and CDN everything.

The closest there is to your ideal is perhaps uBlock Origin with dynamic filtering in "medium" mode (in addition to the blocklists, of course).
Honestly, I'd just ditch everything apart from that and perhaps NoScript since it apparently gives some passive protection even if you set it to allow scripts globally (though I don't recall where I've read this so take it with a pinch of salt) and use uBlock instead for the actual script whitelisting. The less extensions you have to juggle with the better.

For videos you really want to watch all the way through, it's much simpler to use youtube-dl instead of performing the arcane rituals required to watch them in the browser.
posted by Bangaioh at 5:47 PM on March 16, 2016 [6 favorites]


if you run uBlock Origin in Nightmare Mode, ads respawn almost as soon as you kill them
posted by indubitable at 6:06 PM on March 16, 2016 [13 favorites]


At this point, I recommend completely disabling plugins. It's a checkbox in most browsers and actually gives a better experience than using click-to-play because many sites botched their design and use Flash/Silverlight if the plugin is listed by your browser but use HTML5 video/audio if it's not present at all (thank Steve Jobs - seriously).

It used to have gaps but for at least a year it's been unnoticeable except for the improvements in battery life and video quality.
posted by adamsc at 6:24 PM on March 16, 2016 [1 favorite]


Bangaioh: “For videos you really want to watch all the way through, it's much simpler to use youtube-dl instead of performing the arcane rituals required to watch them in the browser.”
I was thinking mostly of HBO, NHK, Adult Swim, and my cable provider's Internet VOD offerings. It seems like the proverbial "magic combination of bullshit" it takes to actually watch changes from week to week and it gets very frustrating. I've been fiddling with ScriptSafe, et al., for so long. I was hoping Disconnect would be a good replacement, but having run it for the last couple of hours, I don't know.
posted by ob1quixote at 6:24 PM on March 16, 2016


For those under USG jurisdiction, code is a form of speech, and Congress shall make no law abridging the freedom thereof. Would be like requiring a license to write a book.

This is also relevant to the ongoing fuckery by the FBI as they are attempting to compel speech from Apple Inc. and its employees.
posted by save alive nothing that breatheth at 6:25 PM on March 16, 2016 [2 favorites]


Using a combination of Blockery, BreezeWhistle, ohJava, frenchLTR and wetTabs my browser is secure.
posted by benzenedream at 6:30 PM on March 16, 2016


As I told colleagues when we were discussing this earlier, every time I see an article about sites getting hit by malware ads I worry that the article itself will be a vector for attack.
posted by limeonaire at 6:35 PM on March 16, 2016 [2 favorites]


This is also relevant to the ongoing fuckery by the FBI as they are attempting to compel speech from Apple Inc. and its employees.

Is forcing bank employees with a warrant to allow access to a vault compelling speech? If code isn't civil engineering, then it isn't necessarily speech all the time either.
posted by sebastienbailard at 6:49 PM on March 16, 2016


Uh, how much did you pay, or how much would you pay, for your browser?

Hard to say, but roughly:
[(what I paid for my laptop) - (what I would have paid if it couldn't browse the internet)] dollars.
posted by ctmf at 6:52 PM on March 16, 2016 [5 favorites]


If you watch Netflix, you don't need Silverlight if you are using a reasonably current operating system and browser. HTML5 video works just fine.
posted by maudlin at 7:01 PM on March 16, 2016 [3 favorites]


I do believe you still need Silverlight to watch Amazon Video, at least on a Mac.
posted by klangklangston at 7:16 PM on March 16, 2016


Question: does doing your normal business in a second, non-administrator account keep these ransomware things from getting everything non-normally writable by you? I haven't been keeping up.

I'm kind of stuck here - my wife uses her macbook (not as administrator) but I struggle to get her to understand even how iTunes works, much less care about fiddling with adblocker whitelisting. She just want it to work with no confusing dialog boxes and stuff.
posted by ctmf at 7:26 PM on March 16, 2016


I work in software and trust me, a lot of us hate this stuff. And I personally don't get why it's so hard. Make an ad network, keep the ads simple with standardized basic tracking, don't let the ads serve a zillion weird javascript files or be made with flash. Even better have a normal human being screen the ads.
posted by melissam at 7:52 PM on March 16, 2016 [2 favorites]


I kind of miss that Flash at least laid a clear line between lightweight and predictable internet and heavy with obnoxious behavior internet. You could disable flash in the old days, and a website would still load text and images.

Now, Javascript does everything so if you disable it, you aren't just blocking the worst ads and exploits, but also basic stuff like "position and display the headline." So an adblocker that bans known ad and malware servers becomes the only reasonable option.
posted by mccarty.tim at 8:53 PM on March 16, 2016 [5 favorites]


I'm really surprised someone hasn't made a very small VM with a tiny version of linux and a browser in it and nothing else I should look into that.

I used to use Adblock, but would write my own filters to only block ads with nudity (annoyingly common on Youtube, RPG.net, mostly due to mobile games), creepy things (Most ads on The Escapist), or sound. Then last year an ad network somewhere was hit and everywhere I went I got "install java now" popups, that I"m sure if I'd clicked anything on I'd have been spied on to heck and back. Now, well, if you want to charge money to see your site, I'll understand. I might even pay for it; I did MeFi after all. But this is insane: Whitelist sites I trust? What happens when MeFi, Ars Technica, Chemical & Engineering News, etc's advertiser gets hit?

Frankly, I think the current situation is untenable, and ad networks are going to have to scale back, and stop running a ton of background scripts if they want people to see the ads at all. Serve them as apng, mnpng, gif, something like that that doesn't run code? Not sure how to do it; have a standard bit of code built into the browser that the ad calls to verify the ad has been seen? I'm sure someone will figure it out eventually.
posted by Canageek at 9:52 PM on March 16, 2016 [1 favorite]


Man, I have increasingly been white-listing sites I visit regularly to support them, and this has me regretting that.

I've always used AdBlock Plus. Does uBlock Origin offer any advantages?
posted by schroedinger at 9:58 PM on March 16, 2016


If you consume streaming media, you'll likely need Silverlight, because it offers DRM options that HTML5 and Flash do not, and companies that license media that contractually require certain types of DRM will therefore require that you install a Silverlight player.
posted by a lungful of dragon at 10:11 PM on March 16, 2016


I'm really surprised someone hasn't made a very small VM with a tiny version of linux and a browser in it and nothing else I should look into that.

That's more or less what Google Chrome is, is it not? It's an absolutely fantastic OS for folks who don't want to mess with computers, in my experience.
posted by bonehead at 10:39 PM on March 16, 2016


I've always used AdBlock Plus. Does uBlock Origin offer any advantages?

The author claims it's faster and uses less memory than AdBlock Plus.
posted by XMLicious at 10:57 PM on March 16, 2016




jeffburdges: "Actually the E.U. Data Protection Directive already forces websites to notify users of tracking. It's interesting this regulation fell upon websites rather than browser venders, probably Microsoft and Google spent some major lobbying $ on that. "
How would Microsoft or Google know (or indeed be responsible for keeping up with) which trackers I've installed on my website?
posted by brokkr at 3:39 AM on March 17, 2016


Don't you have to run a Docker container in its own VM to get any kind of security isolation benefit?
posted by indubitable at 7:01 AM on March 17, 2016


If you had only let us load 5 GB of ads for a 50 MB article page,

Please, please tell me 50MB isn't a 'standard' size for a web page these days?
I mean, that was 25% of my monthly download allowance 20 years ago.
posted by Mezentian at 7:22 AM on March 17, 2016


The main reason not to run AdBlock Plus is they take money from advertisers to show you ads you otherwise would block. They take 30% of ad revenue to show Google's ads, for instance. I'm fully in favor of ad blocking, but to me that sounds like an extortion racket.

uBlock Origin is the ad blocker of choice these days. I love that the author is a slightly eccentric curmudgeon. He doesn't even want donations! Also the code works great.
posted by Nelson at 7:48 AM on March 17, 2016 [7 favorites]


"The main reason not to run AdBlock Plus is they take money from advertisers to show you ads you otherwise would block. They take 30% of ad revenue to show Google's ads, for instance. I'm fully in favor of ad blocking, but to me that sounds like an extortion racket."

Honestly, I don't have so much of a problem with that — you can check the box so that those ads are allowed, or leave them excluded, and I don't mind having some ads that meet a reasonable standard. But the reason I have an ad blocker is because ads are often security risks or are just plain obnoxious, and the race-to-the-bottom approach leads to a shitty user experience.

And sure, that means that Forbes doesn't work for me, or a handful of other sites, and I'm OK with that. I've whitelisted a few sites (MeFi included, though I'm rarely logged out), but most places that I have given a shot when they pleaded have ended up doing pop-overs and other shit that I consider user hostile, and I think that it's ultimately my machine and I should get to decide what renders on it. (I did have to abandon noscript because it was too much management, but hey, Chrome allows me to have to opt-in to most plugins, and that seems to work fine.)
posted by klangklangston at 9:36 AM on March 17, 2016


What about the built-in adblocker in slimjet?
(and why won't it let me install adblock-blocker-blocker?)
posted by Obscure Reference at 9:44 AM on March 17, 2016


I could get behind making software engineers finally earn the engineering part of their title.

Canada does this. If you have 'engineer' in your title, that means you went to school to become an engineer.

Spoiler: Canadian programmers do not create magical perfect code.
posted by el io at 10:24 AM on March 17, 2016


klangklangston, I agree that AdBlock Plus' "acceptable ads" program isn't too bad for the individual user. But it seems really sleazy in that they are taking money from the advertiser and ad networks. Literally as an extortion system. "We've got 300,000 users who won't see your ads unless you cut us in 30%". It's gross. I mean your choice is your choice, but at some point ABP stopped seeing like user-protection software and because advertiser-fleecing in my mind.

The uBlock Origin guy has a commitment to ideological purity that I find charming, and in line with what I want from an ad blocker.
posted by Nelson at 10:40 AM on March 17, 2016 [2 favorites]


the only way the adblock pro model would work is if the ransom fee were distributed to the users of the plugin rather than held by the plugin author.

which is basically the only way that web ads on the whole could be acceptable — a deal something like "you want me to look at your junk? then pay me."
posted by You Can't Tip a Buick at 10:48 AM on March 17, 2016


I have increasingly been white-listing sites I visit regularly to support them

Like you, I wanted to support sites I like. Metafilter is the only site I white-list. I experimented with white-listing the Guardian for all of 5 minutes. The browsing experience was terrible.

Auto-playing video ads need to burn in hell.
posted by cynical pinnacle at 10:54 AM on March 17, 2016 [3 favorites]


I'm really surprised someone hasn't made a very small VM with a tiny version of linux and a browser in it and nothing else I should look into that.

There are some options. A company called Neverware has made CloudReady: a ChromiumOS (the open source version of ChromeOS) distribution which runs on most hardware. If you search, you'll find instructions and images for getting it to run in VMWare or VirtualBox. Here's one site with images.

You could also install CloudReady on your own hardware and then use Chrome Remote Desktop from your main desktop / laptop to use it. I think it runs on Rasberry Pi, so you could have a dedicated safe browsing machine for around $40.

Another option is buying something that runs ChromeOS. Cheapest option is a Chromestick (USB key-sized, HDMI-connectable computer) which goes for ~$85. Again, you could use Chrome Remote Desktop to get into it if you wanted to keep using your current desktop. Chromebooks are also a cheap, portable option.

I keep mentioning ChromeOS / ChromiumOS because it seems to be the safest, most secure web browsing environment for consumers. And if you think you got hit / infected by something, or just feel paranoid, it's very easy to roll ChromeOS back to its original state.

One interesting option, with a bit of a learning curve, is spinning up a Windows or Linux machine at Amazon (or cloud provider of your choice) and remoting into a clean OS & browser. With light usage, you could probably even manage this for free, on Amazon's free tier.

Tails, the Linux distribution centered on safe browsing and privacy via Tor, can also run in a VM.
posted by honestcoyote at 11:09 AM on March 17, 2016 [1 favorite]


I could get behind making software engineers finally earn the engineering part of their title.

I would be thrilled to jump through whatever hoops necessary to do this if it meant I got the same kind of requirements, planning, and expectations as a "real engineering" gig.

You want a new field added to that widget? Great! Please document all of the desired features for this field, how it should behave in relation to all existing features, and exactly how each of these features should be tested. Any requirements changes will necessitate a re-evaluation of the planning process.

Oh, you want this field by the end of the current sprint, in a new framework that we have no experience with...
*flips table over, walks home*
posted by strange chain at 11:29 AM on March 17, 2016 [3 favorites]


strange chain, "in a new framework" is of course preposterous, agreed. Having said that, if you could put up with some tradeoffs, then come work for Large Aerospace Corporation with me, requirements-based software development is the only way software gets done here.

"Let's put a link to the helpdesk on the login screen"

Okay!

UE and SE gather user-centric requirements (the field isn't even considered to be added to the widget if there's not a user-centric Use Case; the middle manager does NOT repeat NOT get to say "let's put a new field here"). Then painfully detailed requirements are gathered and go into Jira/Case/DOORS/VersionOne/whatever and get approved. THEN the reqs go to the UI/UX guy (me) who draws wireframe prototypes of the new UI and takes them back to the USERS and says "THIS, RITE?" and only then does it come near the devs. By then the devs have reqs with clear directives that say PUT IT HERE and USE THESE CSS SELECTORS and FOLLOW THIS LOGIC DIAGRAM and THROW THIS ERROR DIALOG WITH THESE WORDS on error. The devs love it, they don't have to muck about GUESSING fonts and colors and business logic and error states, they just have to make it work.

The big tradeoff is of course time. But all that I described up there can actually move along pretty swiftly when you have a good team that knows what to do. "Let's put a link to the helpdesk on the login screen" can go through all of that in two days, be coded and pushed to the Test server in 3 days, and rolled out to Production in four. If you're working 2-week sprints then it gets rolled into the sprint release.

! wow I typed a lot. Basically I agree with you, and so do a lot of other people.

</derail>
posted by sidereal at 12:22 PM on March 17, 2016 [1 favorite]


a lungful of dragon: "If you consume streaming media, you'll likely need Silverlight, because it offers DRM options that HTML5 and Flash do not, and companies that license media that contractually require certain types of DRM will therefore require that you install a Silverlight player."

Which Microsoft doesn't support in Edge. Silverlight's time is coming to a close.
posted by Mitheral at 1:19 PM on March 17, 2016 [1 favorite]


For which, thank (or propitiate) your deity (or not as applicable) of choice (or obligation, as required).

Ersatz Flash was as bad an idea as Flash itself. Though not as completely inept as Adobe, MS still shouldn't have copied them. The whole plug-in nonsense needs to die asap. It may have been a necessary hack at the time, but it's proven to be much more trouble than it's worth.
posted by bonehead at 1:38 PM on March 17, 2016


If only plugins were the only issue.

I place blame squarely on our tools, and even more specifically, on the operating systems we use.

Requiring every single app, every single component of every single app and every single thing that uses those components within those apps to be secure is a lost cause. A common argument is that the browser has become an OS of sorts, but that is true of any complex app, from emacs to adobe photoshop. Zillions of points of failure.

VMs have their own issues, but they are at least a step in the right direction. Isolate software --don't assume it's going to work -- assume it's going to break.
posted by smidgen at 1:54 PM on March 17, 2016 [2 favorites]


On the other hand, sidereal, I know someone who worked for Tiny Aerospace Corporation as an aerospace engineer and most of the time they were left to invent their own requirements to work toward and hope the customer agreed or didn't care enough to notice.
posted by indubitable at 1:55 PM on March 17, 2016


What's sort of interesting is that idea is what the "process" model originated from, but somehow it deteriorated over time -- probably starting with UNIX.
posted by smidgen at 2:19 PM on March 17, 2016


OK, so the building code model would obviously need to be adjusted to work for software. That comment I wrote wasn't intended as a final draft of some kind of binding legislation, but as a paradigm for how we might get better (any) standards for commercial software and as an analogy intended to show how ridiculous it is that software engineering is so totally unregulated as a profession.

Still, as a paradigm, I don't think it's as godawful as some people seem to think. People keep bringing up the idea that software is enormously more complicated than construction, and that may be true if you're thinking about construction in terms of building houses. But the thing is, the same building code that specifies what kind of shingling and fasteners and insulation and lumber I need to use if I want to remove a skylight at Bob's house in New England also covers what standards I have to adhere to if I want to build a skyscraper in Germany or a factory in Mexico. If you want a Construction Supervisor's License (an unrestricted one, which is the kind most contractors get) you need to show that you're familiar with the whole international building code, plus whatever amendments are pertinent for the jurisdiction in which you want to operate. And yet people—most of them with high school diplomas at most—still manage to get certified. If us blue-collar schmucks can handle certification and regulation, surely it would be a cakewalk for software engineers. I'm constantly hearing about what geniuses of innovation you folks are. Or would having some actual standards be too disruptive for the software industry to cope with?

Also, I'm not talking about some kind of self-certifiying trade guild. The building code is written by international committees, amended by state legislatures, and enforced by local officials. Construction is a regulated industry. If you want to (legally) build on anything other than your own house (and sometimes even then) you need to either be licensed or be working under the aegis of someone who is. And yet construction is one of the most accessible and empowering skills to learn (I got my start in Americorps! You can also learn from your Dad, or in the military, or at a trade school, or even teach yourself! Heck, you can start as a laborer and learn on the job!) and the construction trades are some of the most accessible middle-class careers around. (Setting aside for the moment the insane misogyny within the trades, which is a huge problem in the construction industry but somewhat seperate from the building code issue.) And there is an infinity of wonderful things you can still do if you have some skills and a few hundred bucks' worth of tools, without ever touching the building code. Tou don't even need that much! Volunteer at any Habitat for Humanity site, for instance, and you will see not only how much good regular people can do by swinging a hammer, but also how empowering it is for a bunch of regular Janes and Joes (volunteer construction is much more gender egalitarian than professional construction) to learn how to measure and cut and assemble boards and build a goddamn house with nothing more than willingness and some expert guidance. Habitat for Humanity houses are built to code, by the way.

The other major objection I see people raising is that building software is so much more complex than building houses that you couldn't possibly hope to cover everything in some kind of notional software building code. This I think shows a sort of misunderstanding of what building codes do. There are a zillion ways to fuck up a house without violating the code. The building code doesn't supercede pride in one's craft. It doesn't require that houses be level and square, or that the paint job be done well, or that the seams on the baseboards be tight. The building code is just a list of basic principles that, if followed, mean that you will avoid making many of the most common types of mistakes that people have historically made, and that requires people to build to some kind of evidence-based standard rather than just building things in whatever way they personally feel is good enough. Very importantly, it also mandates that construction be inspected by an outside expert who has no interest other than checking to see that the code was actually followed. This may sound impossible if you're in the unregulated Wild West that is software engineering, yet the construction industry is just as big and just as all-pervasive and it seems to survive. The code also gets periodically revised to accomodate problems that have cropped up as unintended consequences of new techniques and systems, possibilities created by new developments in building science, and the general desire for buildings to be built better and better as time goes on. This is why houses built today are much stronger, better insulated, more fire resistant, and generally safer and better than houses built fifty or twenty or even ten years ago. The construction industry would not have done that on its own, but with regulation we have gotten much better and are improving all the time.

I'm not saying that making a software building code would be simple to do, or even that it would be an unmitigated good. Like the real building code, it would probably be a byzantine mess of rules and regulations, many of which would seem nonsensical or even contradictory. It would probably also be constraining and the subject of constant griping on the part of coders, just as the real building code is the subject of constant griping by builders. And yes, it would probably shut some people out of the industry—just as the real building code shuts out some people who might otherwise be inclined to try their hand at carpentry or plumbing or electrical work (while still leaving lots of room for homeowners to do much of their own work, and for enthusiastic amateurs to learn all about how to build a table or wire a circuit). And no doubt there would still be bad code, just as there are still bad buildings. But the complaining and cries of impossibility remind me of the stories I hear from people who were building back in the 70s when the first building codes came into effect. It wasn't all that long ago that there was no building code for the construction industry! But things have gotten much, much better since the building code came into existence, and I'm not sure that it would be all that different for software. Certainly something needs to be done, because frankly the state of the software industry today is a fucking disgrace and people should be embarrassed to be in a trade that keeps constantly, constantly making such huge, glaring, high-profile, life-and-property-destroying, international-headline-making, multi-billion-dollar fuckups.
posted by Anticipation Of A New Lover's Arrival, The at 5:43 PM on March 17, 2016 [4 favorites]


maybe we should just institute a law against building a machine in the likeness of a human mind.
posted by You Can't Tip a Buick at 9:53 PM on March 17, 2016 [4 favorites]


I helped build Google AdWords, so I certainly can deliver the "ads are good and necessary" lecture with some intimacy.

Them's fightin' words.

The entire advertising industry is essentially parasitic. It serves no purpose that could not be better served in other ways without it.

It is well understood by anybody who looks at the conversion rate of advertising dollars to sales dollars that online advertising is a net expense, not a net revenue generator, for the businesses that actually pay for it. The only reason businesses still buy online advertising at all is fear that if they cease to do so, their competitors will gain an advertising-mediated advantage over them. This fear persists even though it has been clear for a decade that it has no basis in reality; though online advertising is now so debased as to be unfit for the purpose of marketing to the public, advertising sales people are very good at marketing their own industry to gullible rubes other business.

The only plausible justification for the advertising industry's ongoing Internet presence that has any credibility left with the general public is that it allows content creators and distributors to make a living off what they create and distribute, via bundling advertising with it.

The only reason such bundling makes any sense at all is that Internet connectivity providers have historically charged for provision of raw bandwidth without regard to the direction of data flow. But in the commercial Internet of the 21st century, the appropriate commodity is not bandwidth but data.

Consider a model where any entity that pulls data from elsewhere or pushes it likewise paid a fee to their connectivity provider for doing that; while providing data sources and sinks to be pulled from or pushed to by others attracted a rebate from the connectivity provider. To prevent rent-seeking via data churn, and provide a net revenue stream to connectivity providers, the rebate would need to be lower per megabyte than the fee, in much the same way as bank interest on a savings account is lower than interest on a loan.

Under such a model, any business with an online presence automatically gets paid to make that available, and the more hits it gets the more it makes. A video aggregation business like YouTube would become instantly profitable without advertising just because so many people would be pulling data from it; in order to attract the content creators that keep people coming back to YouTube, it would have a direct incentive to pay those creators directly per view. As a YouTube content creator you'd still be getting your tiny per-view kickback - but from YouTube itself, not from an AdSense overlay on top of it.

The natural objection is "but but but I don't want to have to pay for YouTube!" which is prima facie completely reasonable. But stop and think for a minute about who pays for YouTube right now and you have to conclude that it's already you; it's just that instead of paying your ISP for it, you're paying everybody you buy anything from for it, in the form of cost recovery for online advertising.

If the advertising industry were to evaporate in a puff of greasy black smoke tomorrow, everything would cost less because the economy would be free of a vast rent-seeking parasite; you'd end up paying part of that saving back to your ISP. And it would be only part, because it wouldn't have to cover the cost of hookers and coke for advertising executives.
posted by flabdablet at 6:32 AM on March 18, 2016 [9 favorites]


Speaking of parasites, a study by Enders Analysis "...found that mobile ads on articles represented between 18% and 79% of data required to read articles on iPhone 6 smartphones. And ads that use JavaScript for visual elements and animations represented between 6% and 68% of downloaded data." (via FB because the report is paywalled.)

Frankly I've never really noticed this because I mostly use Pocket to read articles on my phone. It's time I sent them some money.
posted by sneebler at 7:15 AM on March 18, 2016


flabdabet, there's been a small but persistent thread of academics talking about economic models for computing and networking like you describe. The biggest issue is that charging per byte makes no sense because the value of the content is not proportional to the bytes. (Compare a novel to a movie; roughly same "value" to the consumer, but 1000x difference in bandwidth.) Also the cost to create and deliver content is not really proportional to the bandwidth.

Another issue is that users really, truly don't want to pay for Youtube. And most people don't see looking at ads as a form of payment. There's been some recent efforts for online journalism to charge small fees to read articles, Wired's $1 / week for example. And huge, huge resistance to it. I wish people paying directly for content would work, but we have 150+ years of media history suggesting ads work better in most cases.

I now block every single ad I can. Including those from the system I helped build. I resent the way advertisements are mind viruses, try to trick people into buying things they don't want. I resent the intrusion into my mind, my desires. But I also see advertising as a necessary evil.

What I find completely unacceptable is the escalation of ad technology, to the point where ads consume half of the resources required to view a web page. And completely invade my privacy with 37 different tracking systems. And deliver malware on my computer. Online ad tech has gone way, way overboard and is actively consumer hostile. Fighting back is self-preservation.
posted by Nelson at 7:24 AM on March 18, 2016 [2 favorites]


>> "Hell, what we need is a building code for software.

> Oh dear Christ that is a million times more horrific than the concern of malware.

I've been making my living writing programs for almost 40 years. The idea that we as software engineers are so inept and so unprofessional that no sort of independent quality and reliability metrics of our work will ever be possible makes me really angry. Structural engineers do it; mechanical engineers do it; aviation engineers do it; we can do it, and one day we will.

We are not special snowflakes: we're supposed to be adult fucking professionals. Perhaps this not is possible today; but if we are to be taken seriously by anyone, if we are to look ourselves in the mirror! then we need to work towards codifying "best practices" and formalizing safety for our clients, because the idea that we have so little understanding of how our work works that we have to do it by the seat of the pants every time is humiliating and immature.
posted by lupus_yonderboy at 7:41 AM on March 18, 2016 [4 favorites]


users really, truly don't want to pay for Youtube.

Quite so. But we clearly don't mind paying our ISPs, and for much of the world that already involves paying more to get a higher monthly data allowance.

And of course the value of the content is not related to its size in bytes, but that doesn't really matter. After all, the value of content is also not related to the about of advertising bundled with it either.

The aim is to create a business model where everybody pays for what is actually of value to them. The reason I pay my ISP is to gain access to sources of data I want to collect, and sinks for data I want to replicate elsewhere; those sources and sinks are the desirables that my ISP delivers to me retail, so there should be no particular reason why the ISP should not have to buy them wholesale, ultimately from the endpoints that provide them to the ISP.

There is a direct relationship between the amount and speed of data moving across the network and the cost of the equipment required to allow that to happen. That makes it make sense for network connectivity providers to work with pricing that's at least partly worked out per megabyte. But there could also be flagfall charges for initial connection establishment, or flat-fee schemes with predefined data caps. The mobile phone industry is chock-a-block with these things, so there is no shortage of software for tracking and billing them.
posted by flabdablet at 8:37 AM on March 18, 2016


Structural engineers do it; mechanical engineers do it; aviation engineers do it; we can do it

I am in sympathy with the general feeling behind that, but I think you might be overly willing to discount the fact that software is far more abstract, and therefore far less constrained by physics, than the materials upon which other branches of engineering are based.
posted by flabdablet at 8:43 AM on March 18, 2016 [2 favorites]


I now block every single ad I can. Including those from the system I helped build. I resent the way advertisements are mind viruses, try to trick people into buying things they don't want. I resent the intrusion into my mind, my desires. But I also see advertising as a necessary evil.

I can sympathise with that; it would be more than most people could bear, to believe that one had spent much of one's life on the construction of an unnecessary evil.

But it's not as if the warnings were unavailable.
posted by flabdablet at 8:49 AM on March 18, 2016


I'm not convinced that certification will work. Everyone involved in the software chain (with the possible exception of the advertising networks, who really shouldn't be allowing imports of arbitrary javascript) appears to be making a strong good-faith effort to create reasonably secure software. Ars just ran an article about how even intentionally hardened hardware is vulnerable to rowhammer. Sometimes the exploits are obviously neglegent, but often they're not. "Many eyes make all bugs shallow," seems to be working in favor of attackers these days.
posted by CBrachyrhynchos at 9:42 AM on March 18, 2016


The natural objection is "but but but I don't want to have to pay for YouTube!" which is prima facie completely reasonable.

And yet how many of us pay for Netflix? I would actually pay for Youtube, and would like to be able to consider the Youtube Red thing, but it's not available in my country yet.

We're told always that tolerating advertising is the compromise we need to make to get content, but it would be interesting to see the uptake on the paid/free services as well as the numbers between ad-supported-only and paid-only competitors.
posted by bonehead at 10:05 AM on March 18, 2016


I can sympathise with that; it would be more than most people could bear, to believe that one had spent much of one's life on the construction of an unnecessary evil.

No sympathy needed; I'm quite proud of my work on Google AdWords. Both the technical work and the products I worked on. I do think advertising is necessary to the online media ecosystem and frankly I think you're delusional if you think ads could be removed from the Internet and we would retain content services like YouTube, the NYTimes, or Metafilter. Given that there will be ads online they may as well be good ads.

When it was introduced, Google AdWords was better for consumers than existing ad products. Both because the ads themselves were small and unobtrusive, simple bits of text. And because the ads were often relevant to what the user was doing at that time. But I stopped working at Google in 2006. And since then Google ads have moved on significantly and now employ way more techniques and technologies than I can keep track of. I'm sure I wouldn't feel good about working on parts of Google's ad products now.

Back to malware, I think one line in the sand that could be drawn is that ads cannot be executable code. No Javascript loaded from third parties, and certainly not Flash or Silverlight or other crap. Just text, images, and (regrettably) movies+sound. Maybe one HTTP callback. Technically this restriction is a bit slippery, complex media formats themselves are sort of executable programs. But those can be limited to a more securable subset.

"Load arbitrary javascript from 37 different sites" is a shitty architecture for the modern web.
posted by Nelson at 10:09 AM on March 18, 2016 [3 favorites]


There is no real reason for a paid content model though, flabdablet. Just abandon the centralized web server model in favor of a true peer-to-peer model.

Anything where users provide all the content, like Facebook, Twitter, StackExchange, GitHub, Reddit/Metafilter, etc., and even Youtube really, would work better as decentralized peer-to-peer applications. Internally, they evolve towards decentralization anyways. It's doing the crypto to make them privacy preserving that's hard, but that's at least as hard in the centralized web server model.

There is actually not that much that requires commercially created content, basically Newspapers, Webcomics, and books, well most commercial Youtube videos are themselves viral advertising, and movies can be ignored. As I understand it, customers will pay for "analysis" like say the Economist that really contributes to their understanding, but not for "news" that they can learn by simply opening up Twitter.

We're left with a three tiered system for paying for services : All the user created content sites get replaced by peer-to-peer protocols so that users fund them directly with hardware purchases. We pay for rare particularly good content with micro-payments. Ad blockers are installed everywhere by default, but when ads do place they earn more because they're rare, and the big user generated ad suppliers like youtube and facebook are gone.

It's highly nontrivial to actually run a bigpeer-to-peer network of course. As a comparison the Tor project runs on about $2M per year, but that pays for personnel who monitor the network, deal with the latest attacks, find new ways to circumvent the Great Firewall, deal with political issues, find funding for everyone else, etc. All their 6000ish nodes are operating independently by individuals and organizations though, so it's way cheaper than it'd be if run centrally. I think less altruistic networks like say BitTorrent cost way less.
posted by jeffburdges at 11:49 AM on March 18, 2016


> I think you might be overly willing to discount the fact that software is far more abstract, and therefore far less constrained by physics, than the materials upon which other branches of engineering are based.

Yes - that should make software engineering easier, not harder!

No, the reason that software is crappy is because the industry doesn't value correctness as much as it values features.

If the aviation industry worked this way, we'd have supersonic planes that constantly crashed.
posted by lupus_yonderboy at 11:54 AM on March 18, 2016 [1 favorite]


that should make software engineering easier, not harder!

What it makes easier is building massive ecosystems of abstraction that are too complex to understand because they are not rooted in anything but each other. Software's failure rate is high because the opportunities for failure are that much more numerous.
posted by flabdablet at 12:08 PM on March 18, 2016


software design and implementation involves manipulating deeply nested abstractions within abstractions in a way that the human mind can only barely keep track of. It is not just more complex than other forms of engineering, it is complex in radically different ways. Analogies between programming and engineering are a distraction; software is
  1. different from, and
  2. much, much weirder than
anything other category of technological artifact in regular use.

Frankly — and I apologize that there is simply not enough space in this comment box for me to fully elaborate on this claim — I think it's fairer to draw analogies between software design and political practice than it is to draw analogies between software design and engineering. Saying that we can fix software by more tightly credentialing programmers and by more rigorously valuing correctness is like saying that we can fix our political systems by properly credentialing politicians and thereby ensuring that they only use "correct" political techniques.
posted by You Can't Tip a Buick at 12:08 PM on March 18, 2016 [3 favorites]


Certainly something needs to be done, because frankly the state of the software industry today is a fucking disgrace and people should be embarrassed to be in a trade that keeps constantly, constantly making such huge, glaring, high-profile, life-and-property-destroying, international-headline-making, multi-billion-dollar fuckups.

Yes, "there needs to be a law". This is confirmation bias. You don't really know much about what the "fuckups" actually are.. at least enough to draw this conclusion.

Also, there is an adversarial aspect here that makes networked software not as isomorphic to construction as one would think from the outside. Let me know when a building inspector flunks your permit because you failed to take into account random arsonists.

I think codes might be a good idea, but they must be severely limited by domain. And, as I mentioned before, in most places where they are truly necessary -- they already exist implicitly -- making that explicit is not beyond the pale. (e.g. where people might be killed).
posted by smidgen at 12:16 PM on March 18, 2016 [1 favorite]


I think it's fairer to draw analogies between software design and political practice

Oooo, that's a fully nifty idea that I'm totally going to steal for future use in discussions (note: I am being completely serious).

...it also implies we should stop calling software folks engineers. So, let's do that also.
posted by aramaic at 12:28 PM on March 18, 2016


Software's failure rate is high because the opportunities for failure are that much more numerous.

I don't completely agree. I'm more with l_y here, that you can develop software in manner that avoids a lot common issues. Even just using the proper tools gets you most of the way there -- for example, not using C where it isn't appropriate. :-)

Look, (purely as a thought experiment, there are some practicalities and history involved), if adobe had implemented their flash plugin in a managed language or a strict language like Rust, most of the vulnerabilities here would not happen. Probably 95% of the issues are because people are using C code that is facing the internet. Even if they used C, but vetted their code like OpenBSD vets their code, they would probably get to 85%.

If you can ameliorate 90&% of the issues by switching tools or methodologies, then you have to admit that attention to detail makes a difference.
posted by smidgen at 12:31 PM on March 18, 2016 [1 favorite]


> Oooo, that's a fully nifty idea that I'm totally going to steal for future use in discussions (note: I am being completely serious).

Just don't steal it in any academic papers and we're cool.

also if you know anyone who edits an academic journal, feel free to say things like "hey I've heard a bunch of people have been talking about how software design is more like political practice than like engineering maybe you should publish articles on that" to them.
posted by You Can't Tip a Buick at 12:31 PM on March 18, 2016


So hey! In case anyone was curious whether this stuff is having an effect, we got hit with Teslacrypt at work yesterday and the entire network was down for 45 minutes while they killed it.

Good times!
posted by selfnoise at 12:33 PM on March 18, 2016 [1 favorite]


You Can't Tip a Buick: "I apologize that there is simply not enough space in this comment box for me to fully elaborate on this claim"

The limit is "31,500 characters, or roughly six thousand words of English text" unlimited 128,000 characters. Actually the limit is on displaying the comment. You can go over the 128K on the input but only the first 128K characters will display.

smidgen: " Let me know when a building inspector flunks your permit because you failed to take into account random arsonists."

This is already accounted for in things like sprinklers. Lots of things in building (and electrical/plumbing/fire/security etc.) codes are designed for proof against malicious events. EG: the BC building code requires cross blocking in exterior walls next to exterior doors to make the building entrances harder to force with a crowbar. That rule exists purely to mitigate random thieves.
posted by Mitheral at 12:33 PM on March 18, 2016 [1 favorite]


To address the abstraction side -- I don't even think thats the issue. In fact it's the *solution* to the issue. Most of these security issues aren't at the level of abstractions -- they are at the level of basic shit most people abstract over. Buffer overflows happen because people are reimplementing the abstraction called "Buffer" a zillion times over, and of course, the law of large numbers says you're going to fail at least once :-)
posted by smidgen at 12:36 PM on March 18, 2016


Most vehicles designed with anti theft. Anything with a key is trivially, though modern elaborations of that are much more complex (engine kill switches, etc..). They're also fault tolerant, both to wear and operator failures to various degrees.
posted by bonehead at 12:38 PM on March 18, 2016


While we're adding a set of building codes to software engineering, can we also get a damned union up in here? sheesh.
posted by Xyanthilous P. Harrierstick at 12:40 PM on March 18, 2016 [2 favorites]


Sprinkers are for fires in general, not arsonists in particular. Doors are meant to keep people out (or in). What I'm talking about are holes in general construction. By analogy, I could well imagine a code for password entry forms and secure storage (again,. already exists! see: HIPAA, etc.) -- but that's not the same kind of adversary.

I don't think there is anything truly analogous to avoiding adversaries in every single part of construction (e.g. someone exploiting the joins in your skylight construction), like there is in software. It's very different.
posted by smidgen at 12:48 PM on March 18, 2016 [1 favorite]


I don't think there is anything truly analogous to avoiding adversaries in every single part of construction (e.g. someone exploiting the joins in your skylight construction), like there is in software.

There absolutely are when you're talking about preventing intruders/burglars. Fences, lighting, locks, door types, wall construction, HVAC entry points, and sure, roof design are all part of designing a house that's going to be less rather than more attractive to burglars.

I've been involved (peripherally as a user) in the planning around secured facilities---security can cost more (a lot more) than the cost of putting up the building shell alone.
posted by bonehead at 12:59 PM on March 18, 2016 [1 favorite]


...it also implies we should stop calling software folks engineers

So if we think of software as more like political practice, does that mean I get to be a software scientist? Because that sounds even more awesome than "engineer".

I'm a big fan of higher quality software. I literally today just wrote a blog post in praise of sqlite3's test suite (600k lines of tests!). But I think what makes software development different from engineering or construction is that software is just so new. We're constantly inventing new techniques and problems. Multi-processing in practice is only 20 years old. Distributed computing with microservices is only 5 years old. Asynchronous programming, outside of some specialty areas, only hit the mainstream a few years ago when Node became popular. We can have codes and insurance for household plumbing because installing a toilet is not that different from how installing a toilet worked 100 years ago. Not so much with software.

I have a friend at Galois who has been working on provably correct software for 20 years now. I used to tease him about the impracticality of it, but they're building and shipping real usable code. Still not quite to the point where it's something you'd use on your desktop computer but we're getting closer. And while it doesn't solve all problems, it's a significant step forward from the memory-unsafe maCro assembly language garbage we use now.
posted by Nelson at 1:05 PM on March 18, 2016


That's not the point, you were working with a facility designed to be secure.. therefore you have certain rules to follow. That is domain specific. Adobe wass making a plugin to show movie and animations to delight web users. The objective of their software building process was not to build a secure enclave, and yet somehow it still became a requirement. It's much more complex. Similarly, I'm pretty sure that a random condo was *not* built with the ultimate security of the HVAC system or the roof in mind.
posted by smidgen at 1:09 PM on March 18, 2016


(They barely can keep the roof from leaking :-))
posted by smidgen at 1:12 PM on March 18, 2016


There are totally things in the building code that have to do with making sure that buildings have some level of basic security. See the comments above for lots of examples. But at the same time, as I said earlier, the building code doesn't even try to cover absolutely everything. People here who are saying that software is inherently much more complex than construction are, I think, really underestimating how complex a modern building is—especially something like a multi-story apartment building.

I am literally on my way back from a construction trade show as I write this, and the industry is an absolute forest of new products and systems and materials and tools right now—all of which have to be certified to comply with the code, and all of which have to be used in code-compliant ways. But code compliance doesn't guarantee that a building is perfect, or even good! All it does is ensure that you've covered at least the basics. The basics alone are enough to make the building code into a multi-thousand-page document with countless revisions, addenda, and amendments, but at least there are standards.
posted by Anticipation Of A New Lover's Arrival, The at 1:14 PM on March 18, 2016 [2 favorites]


Nelson: SURE! You can already be a Data Scientist; which in practice seems to mean "I know less statistics than a Mathematician, and less programming than a Software Engineer; but conversely more than the others."
posted by Xyanthilous P. Harrierstick at 1:15 PM on March 18, 2016


Similarly, I'm pretty sure that a random condo was *not* built with the ultimate security of the HVAC system or the roof in mind.

Roofs are difficult to access, but many are designed to have limited, locked access. Lots of people buy houses with solid core doors and windows. Lots of people look for condos with controlled access features (doors, elevators) and even a guard at the front.

Try selling a condo with an open design, poorly lit parking garage with lots of columns to hide behind and a crappy, unsecured entry door.
posted by bonehead at 1:15 PM on March 18, 2016


Speaking of adobe, buildings were invented in, what, 10,000 BCE? Everything on down to a garden shed should really by now be self-reproducing, able to fly, and invulnerable to nuclear weapons, so I'm afraid that the laggard state of the art in designing them simply doesn't deserve the moniker "engineering". Call us back twelve thousand years after software was invented and we'll compare notes.
posted by XMLicious at 1:19 PM on March 18, 2016 [4 favorites]


okay but in this analogy there are a number of organizations attempting to deliver elaborately designed counter-condos into your building, and some of the counter-condos are hostile and will make your condo completely inaccessible unless the condo owners pay ransom, but you've got to let some of them in or else you won't be able to afford to keep the lights in your building on.
posted by You Can't Tip a Buick at 1:22 PM on March 18, 2016 [4 favorites]


oh my god i love this analogy so much.
posted by You Can't Tip a Buick at 1:22 PM on March 18, 2016


"Roofs are difficult to access, but many are designed to have limited, locked access"

Yes, but you are missing the point. I know that "many" may be designed this way, just like there are very secure software systems. That is not "all", and implicit in "many" is that there *is* no universal code for (e.g.) roof security because in building codes, no one expects that a burglar will take over the 1920's craftsman down the block and use it to take over the neighborhood including the bank at the end of the street.

But I'm not going to argue this too strenuously, because, as I said, I don't think codes are impossible in software, just harder to figure out because the field is young and its not really analogous to construction.
posted by smidgen at 1:34 PM on March 18, 2016


also it's not reasonable to compare civil engineering practices and internet software design practices. Most buildings don't have to be designed for deployment in a war zone, and tend to fall over quickly when exposed to concerted attacks.
posted by You Can't Tip a Buick at 2:08 PM on March 18, 2016 [2 favorites]


Nelson: "But I think what makes software development different from engineering or construction is that software is just so new. We're constantly inventing new techniques and problems."

The first building lit 100% by electric light was The Savoy in 1881. First electrical code in the US was implemented 1897, merely 16 years later, and was in constant major flux into the 1950s with significant changes happening even now.

But even then so many of the exploits depend on well known, been around since the 70s gotchas like buffer overflows. No one can expect software developers to avoid a brand new interaction but we should expect them to get the things covered in every first year programming class for the last 20 years right.

smidgen: " The objective of their software building process was not to build a secure enclave, and yet somehow it still became a requirement."

Sure, typical analogy problem where the spaces don't overlap 100%. But even in software there are programs where security just doesn't matter. A stand alone PLC with no network access might equate with residential security so go ahead and make whatever lazy mistakes you want. However the need for a secure enclave doesn't just happen somehow. Someone along the line makes an active decision to expose it to remote attackers via a network interface.

Anyways my comments make it seem like I'm advocating for a mandated software code enforced by licensing and penalties which I'm not. I just don't agree with the idea that it would be too hard/impossible. I mean that used to be a reason to do things to make things better.

I think of all those "smart" TV and fridges out there connected to the internet that haven't been patched, even if the end user wanted to, in 15 years and it makes me shudder. I also think we'd have a lot less proprietary crap out there if companies were made legal responsible for patching their code for 20 years.
posted by Mitheral at 3:04 PM on March 18, 2016 [1 favorite]


I'm advocating for a mandated software code enforced by licensing and penalties which I'm not. I just don't agree with the idea that it would be too hard/impossible

Regulation itself is not the goal. Regulation is trivially possible.

But I am very skeptical that anyone knows a set of rules that software developers can follow, or software inspectors can verify, that will ensure a large piece of software is as anywhere near as reliable as we expect legally compliant physical structures to be.

The reason we keep finding exploitable bugs in browsers, operating systems, language runtimes, even stuff like SSH, is because nobody knows how to reliably prevent or detect them. It's not because everyone is just trying to cut costs.
posted by aubilenon at 5:51 PM on March 18, 2016


I have a friend at Galois who has been working on provably correct software for 20 years now. I used to tease him about the impracticality of it, but they're building and shipping real usable code.

And yet there exist techniques for breaking even provably correct software, because such software can only remain provably correct if it stays unaltered after being loaded into RAM.
posted by flabdablet at 11:18 PM on March 18, 2016 [2 favorites]






While strict product liability or construction defect probably isn't the right model, the horrified attitude of technologists who view and market themselves as professionals (whether or not 'engingeers') at the thought of being held to anything resembling a professional standard of tort liability is pretty sad. Outcomes don't have to be completely predictable or the state of the art slow moving for there to be prevailing standard of care under which one is committing malpractice.
posted by snuffleupagus at 1:15 PM on March 22, 2016


In other words, there's nothing so special about software that it makes the basic concepts of negligence completely inapplicable. Or is your adware more complicated, than, say, human neurology?
posted by snuffleupagus at 1:21 PM on March 22, 2016 [1 favorite]


But I am very skeptical that anyone knows a set of rules that software developers can follow, or software inspectors can verify, that will ensure a large piece of software is as anywhere near as reliable as we expect legally compliant physical structures to be.....[t]he reason we keep finding exploitable bugs in browsers, operating systems, language runtimes, even stuff like SSH, is because nobody knows how to reliably prevent or detect them.

Generally, liability for professional negligence doesn't attach simply because you turned out to have made a mistake that led to some injury or damages.* It attaches because you didn't try hard enough to prevent it, according to the applicable, prevailing standard of care/practice, which is typically established by expert testimony. It's really not such a scary standard. What is requires is very, very far from clairvoyance or perfection.

*That is the flavor of strict liability, which would be pretty silly for most software -- but perhaps not all software, i.e. for autonomous cars and other things that could be likened to 'ultra-hazardous' activity.
posted by snuffleupagus at 1:34 PM on March 22, 2016 [1 favorite]


I think of all those "smart" TV and fridges out there connected to the internet that haven't been patched, even if the end user wanted to, in 15 years and it makes me shudder. I also think we'd have a lot less proprietary crap out there if companies were made legal responsible for patching their code for 20 years.

How bad is it with smartphones? It's my foggy impression that carriers systematically abandon their own older carrier-branded phones rather than helping keep them patched and up-to-date (2).
posted by sebastienbailard at 11:28 PM on March 22, 2016 [1 favorite]


« Older Thunderbirds Are Gone   |   "I want to make this sport legal." Newer »


This thread has been archived and is closed to new comments