Malvertising Campaign Hits MSN, NY Times, BBC, AOL 159
An anonymous reader quotes an article on Help Net Security: In the last couple of days, visitors of a number of highly popular media outlets including the NY Times, the BBC, and Newsweek have been targeted with malicious adverts that attempted to install malware (mostly ransomware, but also various Trojans) on their systems. The websites themselves weren't compromised as the problem was with the ad networks these sites use -- Google, AppNexus, AOL, Rubicon. The ad networks were tricked into serving malicious ads to the visitors.
Ad Blocking (Score:5, Insightful)
And then they'll tell us to please unblock them so they can make money on our misfortune.
Re:Ad Blocking (Score:5, Insightful)
I always thought their pleas to unblock their sites should reflect reality: "Please let us serve you malware!"
Malware distribution via ad networks is a very old an well-known scheme. It would be stupid not to block all ads. As no point can effectively be made without a car analogy; would you not wear your seatbelt if the owner of the road came to you with such plea?
Re: (Score:3, Insightful)
Here's an idea: How about someone writes an ad blocker that DOWNLOADS the ads, just like normal, but simply does not RENDER them on the screen, or execute any code? Seems like the best of both worlds: users that don't want to see the ads don't see them, and websites still get paid, since there's no way to tell if they actually got shown?
Re: (Score:2)
A lot of ads need the Javascript to run in order to display these days. If the Javascript fails they make sure the actual site content doesn't load either.
Re: (Score:2)
Interesting. Perhaps run the Javascript in a sandbox, but still don't display the resulting ad?
Oh well, perhaps the liability here needs to fall on the ad networks that are serving up malware without scanning it first. Sort of like if CBS started airing advertisements from some Evil Overlord that caused brain hemorrhages in people who viewed the ads...
Re: (Score:2)
If I use an ad network to serve up ads I'm still responsible for the content that goes out under my site's name. It doesn't matter that I've outsourced it to a third party.
Re: (Score:2)
I'd say so, yes. However, I don't see any way to make that mean anything in the real world. You're going to have a hard time proving that you got that malware from your visit to Vladimir's House of Russian Boobs instead of the New York Times (which has served malware), and if you can prove it good luck suing and collecting.
Re: (Score:2)
Here's an idea: How about someone writes an ad blocker that DOWNLOADS the ads, just like normal, but simply does not RENDER them on the screen, or execute any code? Seems like the best of both worlds: users that don't want to see the ads don't see them, and websites still get paid, since there's no way to tell if they actually got shown?
Won't work anymore. Big advertisers want proof that their ad was seen, via Double Verify or similar, and only pay for ads that were in front of users for a certain amount of time. Javascript and CSS make this easy to measure, and hard to work around.
Re: (Score:3)
The good news is that with a script blocker you also effectively cut out the malicious ads while still allowing the non-exectable ads to come through. This, to me, is a good compromise as it still allows for ad supported content from ad vendors that don't use obnoxious/dangerous ads.
No need for an ad blocker unless your actual motivation is just to not see ads period
Re: (Score:2)
I tried that. It turned out that the sites I used started using lots of third-party scripts. I'm willing to accept that, but I can't tell the difference between a source that makes the site work and one that makes the ads work. I installed AdBlock Plus, and simply don't surf where I'm explicitly not welcome.
Re: (Score:2)
Downloading the ads but not displaying them is still stealing and wasting my bandwidth. The best solution is to simply block them.
Re: (Score:2)
Huge waste of bandwidth. That's a large problem with ads is that the amount of information and processing to serve up the ads is often greater than the actual content that the user wanted. If someone is on dialup this would be a horrible option to have.
Another problem is that this is deceptive. You're telling the ad agency that you saw the ad when you didn't, money changes hands, etc. Then the web site learns that this ad service is making it some extra money so it keeps the ad service, drops its plans t
Re: (Score:2)
Here's an idea: How about someone writes an ad blocker that DOWNLOADS the ads, just like normal, but simply does not RENDER them on the screen, or execute any code?
There is an extension called Ad Nauseum [github.io] that does what you seem to want. Check it out.
Re: (Score:2)
That looks very interesting. Thanks for the informative response!
Re: (Score:2)
Re: (Score:3)
I suppose that's possible. I'm definitely not an expert on the ad networks, or how they calculate ad impressions, but I fail to see how they could distinguish between an ad that's on my screen but that I don't interact with in any way (which is the vast majority of them) vs. an ad that was served, but not displayed on my screen. It's not like I'm doing a captcha on each ad to prove I'm a human and not a computer.
Re: (Score:2)
I had no idea. Thank you for explaining how that works.
See people, sometimes Slashdot really can be a place for the thoughtful exchange and discussion of ideas. And trolls. Lots and lots (and lots) of trolls.
Re: (Score:3)
If the code is not executed in a browser. Just download anything from any of the ad networks to /dev/null.
Re: (Score:3)
The developer version of Opera now has built-in ad blocking. One of the neat things that it includes is the chance to load a page without it and with it, in a side-by-side comparison, and it's rather interesting because it also gives you a loading speed and then shows you the differences.
I've done some playing with it...
Normally, I block ads and scripting that's not from the originating domain. I don't see ads, I don't like ads, I will happily donate (and I often do) to keep a site up if it is looking like
Re: (Score:2)
I've found it impossible, in the past year, to look at the long list of third-party script sources and figure which are there for the page to work and which are for advertisements. I want to use these sites, and am willing to accept scripts they are using (and presumably think are safe). That may be foolish, but it's my decision. I do not want to use scripts the sites themselves have nothing to do with.
Re: (Score:2)
I've kind of figured out which ones I generally need to allow to get the functionality I need/want out of it. It has taken a lot of playing but I had the time and motivation. I should probably document my findings somewhere.
Re: (Score:2)
I don't have the motivation, anyway, and I'm sure the list of necessary third-party script providers is going to keep changing.
Re: (Score:2)
I've never noticed the page to tell the difference and it's really not as good as I'd like - I still see occasional ads and there's no way to refine it beyond that.
(I've got Midori installed - I just had it running a few minutes ago as I was checking a page's display in it.)
Re: (Score:2)
Yeah but it gets funky when you change the settings for scripting and the Netscape plug-ins and whatnot. So, I always check in Midori just to be sure. I even check in Lynx and do what I can but, alas, I'm not a good web designer nor am I at all artistically inclined. That's why I check in Midori. ;-)
If you're interested in light, check out Lubuntu with LXDE. It comes with Midori as the standard. It's what I use, even on much faster hardware, as it's my preferred desktop environment. You might be surprised a
Re: (Score:2)
I state the obvious when I say I agree entirely with your choices and think you're brilliant for having made those choices. I not only concur, I do similar.
However, I prefer a more robust experience with the web. I use Opera and have a set of extensions that enable me to do so.
I use a bunch of manually added searches in there.
A translator by some dev called "SailorMax."
uMatix.
FreeDictionary Plugin - I could probably just add the search.
SurfEasy (not really required).
uBlock (not really required with uMatrix
adblockers (Score:1)
And this is exactly why we need to run adblockers.
And they wonder why I use an adblocker.... (Score:5, Insightful)
The websites themselves weren't compromised
The ads appeared when I visited those websites, therefore it appears the websites are responsible for spreading the malware.
Re: (Score:3)
"The ads appeared when I visited those websites, therefore it appears the websites are responsible for spreading the malware."
And if they tell us to switch off our adblocker, it's aiding and abetting.
Somebody has to sue those idiots some time.
Re:And they wonder why I use an adblocker.... (Score:5, Insightful)
These companies forget why google exists, why they are successful. In the 90s, there were 2 choices; use an add aggregator and get lots of malware, or manage all the ads in-house and lose money because it isn't your core competency and is hard. Google was the one that didn't shop the ads out to fourth parties, they didn't let advertisers choose the HTML code. That meant no malware.
Users who don't have their own protection will rightly blame the website who exposed them. The scammers basically "are" the NY Times. It is like signing an "online power of attorney" when you let external ad networks choose what HTML you'll serve from your site. They won't ask for that ability in the first place because they have good intentions. If they had good intentions, they'd just want to provide their media, instead of code.
Not only are they responsible for what they serve, they explicitly chose to give these people the power to do this.
Re: (Score:2)
Search engines in the late 1990s were being trashed by SEO companies. Yahoo's manual curating of the Internet (haha) couldn't keep up. The standard crawler/keyword search tools were generating page after page of useless results.
Google exists because they had a different algorithm. The fact that they managed their ads carefully is one of the very many reasons they're still relevant... but their existence is entirely because of their search engine.
Re: (Score:2)
I think the grand parent is talking about how Google became the dominate online ad company, not how it became the dominate online search company.
Those who two separate events, both important in making what Google is today.
Re: (Score:2)
It's a shame that anti-virus companies are so spineless. If they really wanted to protect their users they would integrate ad blocking into their products, and then start to aggressively push blocking of third party scripts and frames. Add some tracker blocking like the EFF's PrivacyBadger.
Re: (Score:2)
Actually, it's not the ad that compromised the computers - it's the piece of software that the ad prompted the users to download and install. Presumably antivirus software could protect against that without blocking the ad. I assume malware that hijacks a computer is illegal, and presumably ad networks don't accept ads anonymously (or do they?). If so, how do they get paid? It shouldn't be too hard to track down someone trying to distribute malware this way...
Re: (Score:2)
From my perspective as somebody not usually using anti-virus they seem like very different products, and I wouldn't want them merged.
And when I'm using a virus-scanner professionally, I don't want one that does extra stuff and has extra data to download.
Also, the virus scanner I would use changes over time. In the 90s, I would just use the McAfee free FTP server (password: ftp123, discontinued many years ago). Then for awhile Norton was the only one that worked well. These days I use AVG. I don't want them
Re: (Score:2)
Re:And they wonder why I use an adblocker.... (Score:4, Insightful)
It is sort of a Catch-22 for the providers. They get money from the ad networks, who are all compromised, but have no way of stopping what is served themselves.
So, the right solution is to block ads.
However, if the ad blockers aren't turned off, they get no money from the ad networks.
Ultimately it is the ad networks who are responsible, and no one is able to hold them accountable except maybe some top flight content providers.
It would be better for the content providers if they could just shut off ads and find another way to pay for creating their content, but no one wants to reach into their wallets and pay money to do so.
The one thing that the ad networks do is that they do tend to make getting money to content providers a more simple matter than attempting to obtain and keep subscribers. Subscribers aren't sticker shocked for paying $10 for a site that they just wanted to read one story on, so the general public is paying indirectly by buying products and paying into a pool of advertising money.
Re: (Score:2)
It is sort of a Catch-22 for the providers. They get money from the ad networks, who are all compromised
Not at all. Google text ads have never been compromised, not least because they only let you set text and no images or Javascript etc. Sure, you get less money, but at least you don't open yourself up to massive financial liability for all the PCs you damage.
You can also serve the ads yourself if you are big enough, manually vetting each one. Again, you get less money, but soon it will be the only option as everyone starts blocking.
Re: (Score:2)
I agree that the non-obtrusive ads, like Google's, are generally safer almost by definition.
However, there is a reason there has been a rush to completely shit up content with flashing, in your face, Javascript and Flash ads. There's a lot of money in text advertising (a fact that Google has taken to the bank), but there's a lot of money being left on the table without ads that catch the eye better.
I tend to think of the "acceptable" ads campaigns like the ad blockers are doing is sort of like the Washingt
No advertisement is acceptable to me (Score:2)
Advertisement is a huge waste of resources:
Companies spend a part of their profits to spread subjective (i.e. false) information.
This is paid for in the end by the consumers themselves, as the advertising budget is paid from the profits.
So we as consumers pay, to get annoyed, to get our time wasted, and to get false information.
Advertisement is a plague of humanity, I'll do everything to shield myself from it.
Re: (Score:2)
Agreed. The BBC, New York Times, and Newsweek are all large enough to handle advertising themselves. They're much larger than the average clueless blogger hoping to earn enough money from ads to quit his day job.
Re: (Score:2)
It would be better for the content providers if they could just shut off ads and find another way to pay for creating their content, but no one wants to reach into their wallets and pay money to do so.
Google contributor is an attempt to do that.
Personally, I've found that for most websites, when they complain about my ad blocker, I realize I don't really want to go there anyway. My time has been saved for better things.
Re: (Score:2)
It's not a catch-22. The problem is that they insist on maximizing profits. So instead of serving up their own advertising like a responsible corporation they farm this job out to whichever ad agency provides the best monetization. The simple way to control what ads are presented on your web site is to choose the ads yourself. It's how television, radio, and print media all work.
Re: (Score:2)
Real talk though, precedent or not these wide-net causality chains are bullshit. It's arbitrarily applied, which is another way of saying "weaponized against anyone that lacks power/authority/money/lawyers".
Re: (Score:2)
The ads appeared when I visited those websites, therefore it appears the websites are responsible for spreading the malware.
If it were that easy this wouldn't be a problem. You've got a least three players here: The website running ads and trying to fight off the bad stuff, the ad networks which only sometimes care enough, and the advertiser trying to game the system into running bad ads. It's a continuous arms race, and as a website owner you end up in reactive mode, rather than proactive.
Re: (Score:2)
The web sites are intentionally going with a third party service to load up the ads. They pretend to keep their hands clean this way. If some company wants to have their own website then they should do the full work of it themselves rather than outsource the advertising side of their business to disreputable services. A print magazine does not send out it's content to a third party to insert randomized ads instead it has the advertising as part of its business, so a web site should be able to do the same
I do serve ads on my site (Score:2)
Maybe (Score:2)
Sure... Maybe... But this is based single reference to a short 5 paragraph "story" on a click-bait site.
Re: (Score:2)
.
http://www.computerworld.com/a... [computerworld.com]
...Trend Micro wrote about the same attack on Monday. Segura said he delayed publishing a blog post while he contacted major advertising networks, including Google's DoubleClick, Rubicon, AOL and AppNexus, to get the malicious advertisements removed. He published a post on Tuesday. ...
Re: (Score:3)
Some was probably pimping their shitty blog for ad impressions. Here [arstechnica.com] is a link from Ars Technica.
Re:Maybe (Score:5, Funny)
Re: (Score:2)
Re: (Score:2)
Sorry, but one of the rules of this story is that your thread is supposed to say something about ad blockers. Where's your ad blocker comment?
BBC? (Score:2)
I've never seen an advert on the BBC site. I've just had a browse to confirm that. Maybe they have some geo-location check in place.
Re:BBC? (Score:4, Interesting)
Adverts are shown to users visiting from non-UK IP addresses on all participating BBC websites.
So, Forbes, Wired, et all (Score:5, Interesting)
Deja-Moo - that feeling you've heard this bull before.
Re: (Score:2)
/sarcasm The same reason it is "wrong" to close your eyes, mute your sound, and/or go do something else. Oh wait, you implied a valid reason -- there is none -- you're talking to fucktards who don't understand the concept of respect.
Re: (Score:2)
Here is my suggestion to websites that don't want people to use ad-blockers:
Agree that website visitors will be fully compensated for any damage caused by malicious adverts. And when I say "fully", I mean that the website operator will pay for full cleanup of my PC by a qualified IT professional and pay for my loss of productivity because my PC is inaccessible.
Don't want to take on that risk? Then don't block people using ad-blockers.
Adblocker = Malware blocker (Score:5, Interesting)
Adblocker & related tools should change their marketing from 'helping you to block ads' to 'helping you avoid Malware/trojans etc.'...e.g. they should advertise & promote themselves as a 'security tool'...everything out of their mouths, on their website etc should be focused on that use case. Any time some politician opens their mouth about how adblockers are 'stealing' or 'ruining' some business the makers of adblocking tools should retort with statements about 'helping users security' etc.
Re: (Score:2)
I agree that they should play up the security aspect as much as they can, but ultimately I think they are best staying out of the morass of "security" products out there. They are picked by users because they block ads. People hate ads. They hated them before they realized that they were sending malware to their computers. Now they simply hate them even more.
I think the brand that ad blockers have is their biggest asset right now, actually. But they would definitely benefit by adding security as a big
Re: (Score:2)
Re: (Score:2)
coders don't do shit for free
You do realise the internet is pretty much built on code written for free?
Re: (Score:2)
Thing is, I don't care about ads that follow reasonable guidelines. I want the adblocker primarily for safety, and secondarily to avoid large annoyances. If ads don't autoplay any sound, flash too distractingly, make it hard to use the page, or serve malware, I don't really care.
Re: (Score:2)
I don't know if you are new here or if you just stopped lurking & got an account, but you have made 3 particularly douchey posts (that I have noticed) on this topic alone. Please spend some more time lurking or figure out what is making you miserable in life and deal with that before posting on Slashdot.
I mean this sincerely, I don't like to see people as unhappy as you seem to be.
Bring on the 'flamebait' or 'troll' mods, I have Karma to burn & I felt it needed to be said. Not posting
Ouroboros (Score:2)
May the circle be unbroken.
Far from the first time (Score:2)
they're ALL malware (Score:2)
So where are the lawsuits? (Score:2)
Surely the ad network(s) or the sites themselves can be sued over this?
Re: (Score:2)
Surely the ad network(s) or the sites themselves can be sued over this?
It's all automated, right? The ad "network" has no idea where the ads are coming from or what they contain. Some simple checks, maybe, but the originator is behind several layers of middlemen, so it's hard to identify them. And of course, half the middlemen are in .ua, .ru or .cn domains, and change their names every week.
So, none of this is surprising and that's why I, too, will continue to run an ad-blocker, as well as noscript.
Re: (Score:2)
Re: (Score:2)
I agree it's not surprising but the only way it's going to change is if someone is held responsible. If they have "no idea where the ads are coming from or what they contain" then they shouldn't be embedding them in their web sites.
I hear you. But I'm having trouble believing that "ad networks" who, even when they're operating legitimately, are showing ads offering to lower your credit card interest or help you sell your house, are going to be discriminating or responsible about what they accept or who they accept it from. The whole system's broken. These guys are about as responsible as robocallers.
Re: (Score:2)
You can sue anyone for anything. Really, that's largely true. Feel free to try to bring suit against them. You might just as well throw in (and I'm not kidding) the site, the hosting company, your browser's vendor, the person(s) involved in making the site, the hosting company (if applicable), the owners of the data center(s) (if applicable, the person(s) tasked with operating the data center, the ISP(s) involved, and anyone with "security" in their title at any of the above companies/providers.
You're not g
By what definition were they not compromised? (Score:5, Insightful)
The websites themselves weren't compromised as the problem was with the ad networks these sites use
If you've configured your site to allow arbitrary content from unknown third-parties, your site is compromised by design. If the mere act of rendering the content that your site is sufficient to get malware, then, yes, your page is compromised. Doesn't matter if the source of the malware was in somebody else's ad service. If that service feeds data directly into your site that you then present to your visitors without any sort of vetting or filtering, then you've allowed that malware to compromise your site.
Take responsibility, show some respect for your viewers, and stop making excuses. Vet your ads. Serve them from your own servers. Make them first-party. Compelling us to turn off ad-blockers to access your content while not taking steps on your end to protect us from malicious content is sloppy, negligent, and shows an utter and complete disregard for your customers.
Re: (Score:2)
Oops, accidentally cut some text. Meant to say...
If the mere act of rendering the content that your site serves or otherwise provides is sufficient to get malware, then, yes, your page is compromised
Re: (Score:2)
Re: (Score:2)
No one said anything about legal liability, but, yes, it is the site's responsibility to vet the ads that are shown on their site. If they don't want to live up to that responsibility then they need to fuck off and die when they whine and complain about ad blockers.
Re: (Score:2)
So slashdot is responsible if I post a fake link to an article in a comment that installs malware? Slashdot CONFIGURED their site to allow arbitrary content from third parties (me) and indeed says they are not responsible for said content. Funny how that doesn't hold up for torrent trackers, but I digress. I think you are mistaken. While morally the site is responsible, legally no one is. Not even the ad company. That's the kick in the dick part of all of this.
No. Slashdot does not redirect you to that website. Nor does Slashdot load any object from the URL you posted. Someone must choose to follow your malicious link. When you go to the NYT website you are forced to either accept 3rd party content that the NYT has no control over, or block the ad. Since it is NYT that is redirecting you to the malicious content, they are responsible.
Re: (Score:3)
Slashdot CONFIGURED their site to allow arbitrary content from third parties (me) [...]
Our comments are not "arbitrary content" in the sense that I intended it with my previous comment. Our comments have a strictly enforced format made up of text and HTML tags that have been vetted to prevent abuse. Not so with ads, which oftentimes include some combination of iframes, Javascript, cookies, images, Flash, and any number of other objects, none of which have gone through the sort of vetting process that the permissible HTML tags have gone through here.
And I was speaking ethically, not legally. W
Re: (Score:2)
"If you've configured your site to allow arbitrary content from unknown third-parties, your site is compromised by design. "
Stronger version: If you have taken money to specifically configure your site to allow arbitrary content from unknown third-parties, you are an accessory to the resulting crimes..
Re: (Score:3)
If you've configured your site to allow arbitrary content from unknown third-parties, your site is compromised by design. If the mere act of rendering the content that your site is sufficient to get malware, then, yes, your page is compromised. Doesn't matter if the source of the malware was in somebody else's ad service. If that service feeds data directly into your site that you then present to your visitors without any sort of vetting or filtering, then you've allowed that malware to compromise your site.
You do realize that a site only embeds the ad network code, not the final downloaded content? I.e. yes, a site takes some sort of responsibility when deciding to run ads from an ad network. Beyond that, however, every user gets potentially different ads. There are real time bidding platforms and user profiling code in the middle, completely outside the direct control of the website.
Re: (Score:3)
You do realize that a site only embeds the ad network code, not the final downloaded content?
Yup. And that's exactly the problem. Just as we'd question the judgment of a ship designer who put a gaping hole below the waterline that let seawater and sea life in, and just as we'd question home builders who decided it was better to simply leave out one of the walls from the final construction, so too should we question any website design choice that entrails giving unknown, untrusted third-parties free access to put anything they want on a site. The fact that the hole was placed there intentionally by
Re: (Score:2)
Re: (Score:3)
Backing up for a sec, thank you. You guys have been rocking it recently. Love the addition of HTTPS, and it's great to hear that you're bringing UTF-8 support as well in the future.
And back on topic, I'm know I'm being idealistic (perhaps even naive) in my viewpoint, since there are business realities about the world as it exists today that make the "right" way of doing things difficult or impossible. Even so, the way that ads are delivered today is broken by design and NEEDS to be fixed. That these techniq
Re:By what definition were they not compromised? (Score:4, Insightful)
The sites' customers are not you; you are the fucking product, dipshit. You are what they are selling to the advertisers, durrr.
Setting aside the silly ad hominem, let's go ahead and approach it from that angle, since I agree that it's a valid way to view the situation (it's the view I typically espouse, in fact). Our attention is a limited resource, and it's the product that these sites are packaging up and delivering to their actual customers. But just as loggers or fishermen will quickly find themselves in an untenable position if they show a complete and utter disregard for the natural resource they collect, so too will these sites find themselves in a similar position if they do the same. Even if they don't pay me the attention I'm due as a customer, they should still show a proper regard for me as the resource that they deliver to their customer. Or, at least, that's what they should do if they want to stay in business.
Incidentally, you've mistaken my thinking poorly of their design decisions for outrage. I think it's their prerogative to serve third-party ads if they want, just as it's my prerogative to block third-party content by default. I think it's their prerogative to block me because I'm blocking their ads, just as it's my prerogative to stop visiting their site in response to that block. They're acting within their rights, but as with pretty much any business decision, there are consequences, and I believe that they haven't yet weighed the pros and cons correctly.
Re: (Score:2)
I think it's their prerogative to block me because I'm blocking their ads, just as it's my prerogative to stop visiting their site in response to that block.
I agree completely and have actually stopped going to some sites for either this reason or similar.
I'm a big Football(American) fan and I love to read the analyses of this sport from many perspectives. There are a few NFL oriented sites that are such a clusterfuck that I just stopped going to them. It is not possible to selectively choose which things under their umbrella to allow through my browser, there is so much disparate gobblygook bullshit...
If I can't selecti
I love host file ad blocking for this reason (Score:2)
The guy at this site maintains a crazy list of advertisers and malicious site DNS records... then points them all to 0.0.0.0 using host file format. It has served me well for years now.
http://winhelp2002.mvps.org/ho... [mvps.org]
Re: (Score:2)
I know, personally, the originator and some of the folks who maintain the list. It's all good - if you do the web-of-trust type of thing then I'll "sign their certificate." I extend my trust reputation to them. They're good people and do what they can to maintain a clean list. At the very least, you can easily scan it visually and ensure that nothing is out of place. So long as it doesn't send anything anywhere other than 0.0.0.0 there's not much it can do to actually cause harm.
Now, if they're including th
Ad malware is a serious issue (Score:2)
At times it becomes impossible to browse the web from my phone - it seems like every now and then someone successfully pushes this crap to ad networks, and since 99% of all sites use them it becomes inescapable.
Google et al should be accountable for offering a service delivering malware. And, web publishers, i know this is not exactly your fault but i don't care. There are a good number of sites i'm no longer visiting because either they redirect me to porn sites every time or reject ad blockers, which i us
Re: (Score:2)
There are a good number of sites i'm no longer visiting because either they redirect me to porn sites every time or reject ad blockers, which i use to avoid this situation in the first place.
Same. I just go to the porn sites directly now.
Get your shit together.
https://www.youtube.com/watch?... [youtube.com]
Running Ad Blocker like running Antivirus (Score:5, Insightful)
Seriously.
Sure, some people can (and do) run for extended periods of time without getting compromised without ad blockers or AV.
In the end, it's just a matter of time before they're infested.
And yes, compromises on large ad networks like Google may be somewhat rare. But that doesn't help me when a website using their network gives me a drive-by install of Locky or or something that totally hoses all my (or my company's) data.
As such, there is NO negotiation about ad blocking. It's happening. PERIOD.
Until the entire ad industry formulates an acceptable ad policy that people can live with, that DOESN'T pose a danger to its users, ad blocking will continue.
Now content providers are free to take their ball and go home. I don't much give a shit. If given a choice between having my personal and company data destroyed/stolen and watching every content provider on the Internet crash and burn due to lack of ad revenue? Let the fuckers crash and burn!
Re: (Score:2)
Until the entire ad industry formulates an acceptable ad policy that people can live with
They do have acceptable ad policies -- which forbid malware. That doesn't stop malicious users from sneaking it in, or more commonly, the ad servers getting hacked. Your proposal will not solve anything.
Hence the "industry wide" qualifier.
Also, ad blocking would continue even then. Just, more sites would get white listed.
Can someone explain the enumeration aspect? (Score:2)
Our suspicions grew further when de-obfuscation of the script revealed that it tries to enumerate the following list of security products and tools in order to filter out security researchers and users with protections that would prevent exploitation ... If the code doesn't find any of these programs, it continues with the flow and appends an iframe to the body of the html that leads to Angler EK landing page."
So, if I understand this properly, if the Javascript code finds these files, it doesn't serve up the malware landing page. So, if I understand it properly, adware networks, along with any other site's Javascript code, can see what files I have on my PC? WTF--can I shut off that ability? I can see no justifiable reason why any Internet site, short of one or two I mi
Re: (Score:2)
I thought Javascript only had the ability to open a file via a prompt asking the user to select which file to read.
Who knows, maybe it's Javascript + Flash or Javascript + Java or some other insane mix.
Damnit (Score:3)
I guess I'll have to turn off Adblock and NoScript so I can take advantage of this wonderful opportunity to get my free malware.
Just abolish advertising (Score:2)
Long ago I saw a story about a CEO who admitted cheerfully that half his advertising budget was wasted. He just never knew which half. I couldn't help wondering how he knew that it wasn't all wasted.
Perhaps people like the average slashdotter find it hard to understand why advertising works. After all, we tend to be well educated and inclined to focus on facts and logic. (We like to think...) But surely it suggests a very disparaging view of the average consumer to think they would be powerfully influenced
Re: (Score:2)
I tend to think that one reason we still have an internet is because commercial businesses found a way to monetize it. If they had barriers to doing so, there would be a lot less of a reason to develop it, and more push back against it. (Much like the push back against the torrent aggregators or the piracy focused file sharing websites).
Bitcoin is still legal here because businesses found a use for it and they don't care about the drugs or money laundering. But if they couldn't use it, those other issues
Re: (Score:2)
So what would be the effect of completely abolishing advertising? (Just as a thought experiment: we can think about how to do it another day).
As somebody that hasn't watched broadcast TV in 20+ years, seen the decline of magazines and newspapers, and stopped reading even the local weekly newspapers, I can tell you some of the effects. First, I found myself completely out of touch with pop culture. People would talk about things or I'd see some of the advertisements I didn't miss, and there would be bands, celebrities, etc that I've never heard of but had been big for years. I didn't really care for them but some of my friends did, usually the one
Re: (Score:2, Offtopic)
I hope you die horribly.
Hey don't bully 12 year olds online!
Re: (Score:3, Insightful)
I hope you die horribly.
Why? I don't like what they have to say and, as is known, I'm even part black. It neither bothers me nor does it make me wish death (or even horrific death) on them. There's lots of things that people say and do that I don't particularly like. I don't have to like everything.
If we eliminate things we don't like then, eventually, there will come a time when you're in the group of people that is disliked. You don't think morality stops with just what you want, do you? I can assure you, there are people who do
Re: (Score:2)
There's a big difference between wanting them to die and wanting them to die horribly.
The first one, I guess I can accept the reasoning behind that. The second one baffles me. I'm not sure how my prior comment is a troll but it's all good, I've got karma to burn.
Re: (Score:2)
Yes, yes it is. Well, at the very least you should practice safe hex and keep a least-privilege point of view with all of your computing activities. This is nothing different.
Why are people allowing more unknown code than necessary to run on their computer? And no, ignorance is no excuse - it's up to the user of the tool to understand how to use it properly. Some personal responsibility is important. Learning to safely use the tools is an essential part of using those tools and there are a whole lot of free