Ad Nauseam(hackerfactor.com) |
Ad Nauseam(hackerfactor.com) |
Surveillance is not the leading cause for adblock, it's because people don't like ads and a 1-click install to remove them is incredibly easy.
Advertising online will always have some sort of tracking because that is the benefit of advertising online - to know the real metrics of who has seen and clicked and engaged with an ad. If you're worried about real privacy issues, you should focus on Facebook/Google and government agencies.
The difference ? Adblock plus can be extended to block trackers by adding block lists to the default, while ublock origin has those lists activated by default. Then adblock plus let through some ads they whitelist for money and supposedly good behavior, ublock origin has no such policy for the reason that ublock is the work of an individual who wants a better online experience while adblock plus is now the product of a commercial company.
In my case at least, "surveillance" doesn't factor into it. If I were to see ads, I'd actually prefer they be targeted to my interests.
Right now (and without ad blockers): Go to homedepot.com, search for toilets, and view one toilet product page. This marks your interest. facebook.com will show you ads for toilets for the next month.
"By converting unsafe flash-based ads to safe HTML5 ads, they lower the risk of infection from a hostile ad." is laughable at best
An Ad Network is one of the fastest way to deliver a payload to a lot of users
Don't fool yourself, Operating Systems, Browsers and HTML5/JS also have a hell lot of CVE that can be exploited
It's funny how a company like Google making Billions from ads, having ton of smart engineers, have never figured out during the last decade how to "scan ads for malware".
It's not like anyone can upload an ad to those big network, or that they don't QA the ads before delivering them ...
Imagine this unlikely scenario: malware delivered by HTML5/JS
I guess we'll all have to run for the hills if that happen
If you don't think anti ad blocker is a problem, where is this article coming from? Hmmm, afraid that more websites would follow the trend so less content to read? The attitude that this is only websites and advertisers' problem is not as constructive as the author might presume.
So effectively what you're saying is that we should eliminate ad networks. There is no reasonable way to screen every ad before it is shown when using an ad network. So in order to be safe from lawsuits, publishers would have to go back to directly contracting with advertisers for every ad. Certainly there would be some benefits to that in terms of reduced low quality ads. The problem is, the added overhead of doing so would put many small publishers out of business. Dealing with individual advertisers is a huge job, with massive economies of scale; it just doesn't make sense for websites that are orders of magnitude smaller than Forbes and Yahoo.
The mafia comparison feels much more like a stretch when talking of ad blockers than when talking of the bulk of the world's news sites secretly (unless inspecting network traffic or HTML code) using a common few advertisement agencies.
I think the recent cookie laws feel pretty useless, especially since cookies aren't nasty by themselves. "Hi! This site uses cookies! Click here to learn more." It doesn't tell me anything. It doesn't imply that the site is evil nor good. However, give me a law requiring web sites to say "Hi! We are part of a tracking network where your behavior on this site will be registered." Then we're talking. Where the link doesn't lead to an explanation by the publisher, but be required to lead to a link on an external part with an easily digestible, up front explanation of what an ad tracker does and can do. I'm honestly quite fed up that this offensive behavior can keep going on behind the scenes. All people see are photos of a new car model. A normal ad that is anything but normal.
For as long as there is this World Wild West on the publishers' sides, I'm not going to change my behavior on defending myself. Because I look at this as a form of defense. It's simply like running antivirus tools on Windows. I wouldn't want a trojan horse to be downloaded that uploads my browsing behavior to some server either. The difference from what these guys are doing seems razor-thin.
I'm not sure where these numbers come from, but unless you are in fact running a spam site, and likely even then, revenue per click is going to be higher than a fraction of a cent. As a random data point, it looks like the combined revenue per click from Adsense on our sites is around 30 cents per click at the moment.
That's pretty optimistic, on some ad networks representative CTR's are lower by an order of magnitude or two.
If I happen to click on an article from facebook on my phone, the resulting page shouldn't be something I can't even scroll/read because it's so riddled with ads.
Another part is an extension of what TFA says... they should be held responsible... current techniques are iframes, and when a timeout occurs or it bounces to another ad network, another layer of iframe and tracking scripts runs... if an average ad is 3 layers of iframes, and an average page has 5-8 ads, that'd 15-24 complete extra browser contexts just for ads...
So now the other end of the ad is not faceless/identiti-less. If the ad is found to serve malware, there's someone to ban/take action against (like banning from a good-paying ad-audit job for life). Ad-networks that require the golden rule can be white-listed by blockers, and become trusted. Networks that don't are considered malware haven.
Could this work? In the current ad-blocking war, the use of ad-blockers will only rise-and-rise, and something has got to give.
Truth hurts? Adobe Flash and Microsoft Silverlight are common exploit paths because they have new critical exploits every few days. Here's the CVE list for Flash -- notice how many critical exploits there are? It averages to about 1 every 3 days. https://www.cvedetails.com/vulnerability-list/vendor_id-53/p...
In contrast, JavaScript itself has been pretty stable for years. I think the last vulnerability related to JavaScript ES5 impacted old Firefox browsers. http://www.cvedetails.com/cve/CVE-2015-4516/ https://www.cvedetails.com/vulnerability-list/vendor_id-452/... (Two JavaScript exploits for Firefox in 2015, both low risk.)
And HTML5? Extremely stable. There may be specific plugins or specific browsers that are vulnerable, but the underlying HTML5 specifications are very safe and have been safe for years. https://www.cvedetails.com/google-search-results.php?q=html5...
If you know otherwise, then please cite the specific CVEs. Otherwise, you're just spreading false information. You wrote, "Browsers and HTML5/JS also have a hell lot of CVE that can be exploited". I say: Prove it. Cite your sources.
Edit: Adding links to Firefox exploit CVEs.
"If you know otherwise, then please cite the specific CVEs. Otherwise, you're just spreading false information"
man, you are so full of it
want proof ? no problemo
1. CVE are organised by vendors and products
HTML and JS does not show as products, only browsers
see http://www.cvedetails.com/top-50-products.php
look #3 Firefox, #4 Chrome, #8 IE
that explains why you will never see a specific HTML and/or JS CVE, that does not mean they don't exists.
Also in term of volume, browsers have more CVE than Flash, it's all here in the numbers: Firefox 1320, Chrome 1216, but no let's ignore them and focus on Flash 713 CVE.
Just that it make your whole argument biased, the part "JavaScript itself has been pretty stable for years" is ridiculous, search for JS blackhole exploit, Rowhammer.js exploit, Heap Overflow exploit in JS, etc. you don't see them in CVE but they are here and exploitable.
It's better to think than JS is secure looking at that http://www.cvedetails.com/vendor/10288/Javascript.html
yeah no exploit in JS, none, we are all safe LOL
this for example http://www.cvedetails.com/cve/CVE-2015-0817/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817 https://www.mozilla.org/en-US/security/advisories/mfsa2015-2...
you don't see it show up under the tag "JavaScript"
2. Number of CVE listed do no equals CVE exploited in the wild
so you say "It averages to about 1 every 3 days", that's completely false
1 vendor patch for a particular product can close numerous CVE at the same time so it's more like "we squashed 50 CVE in 1 day"
look at http://www.cvedetails.com/cve/CVE-2015-8449/
follow up on https://helpx.adobe.com/security/products/flash-player/apsb1...
that's 1 patch, it does not indicate 1 CVE every 3 days, look at the details
"These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-8050, ..." that's more than 50 CVE of the same type patched and closed at the same time
Also look the "Acknowledgments", numerous security team reported all those CVE for them to be patched, there is no indications they were exploited in the wild.
Saying such things as "oh 30 CVE discovered in 1 month, so that means there were 1 CVE per day" is totally misleading, even more misleading to assume all those CVE were exploited by default (eg. "could lead to").
At best it indicates that they (Adobe and other security team) are more serious about discovering and patching those CVE and so they close more of them more often.
Google claims they are doing just that :
https://googleblog.blogspot.fr/2016/01/better-ads-report.htm...
Now when did they start doing it is also a relevant question.
£1 a day for The Times - very nearly the cost of the actual paper. $1 daily to access Wired. Don't make me laugh. No one consumes all their news from a single source any more.
If my usage pattern is anything near representative, 2-5p a day for the Times and .5p a day for Wired, based on how often I visit equivalent sites and how many stories I read whilst there.
Seems like unless it's something very specialised (medical journal or similar), or the FT charging as though it was our sole news source just demonstrates how out of touch they are.
Sure, charge me £1-£2 a day for consumption, but that would have to be spread across 50-100 sites daily, some of which I've visited just once in the last year, for one article. AND, if I am going to be willing to be micro-charged I want a way to NOT pay a specific site (perhaps I visited and the content was poor). Make that happen I'll subscribe today.
Ask me for £1 for your shitty site daily and you'll wait forever, but good luck with your greed - that's what caused the adpocalypse in the first place.
It is effectively a way to price the information, how much should be paid for your view. Note in print days, you still pay your subscription, yet you get shit loads of ads. And you have a variety choices of publishers.
So why this is the worst model ever?
The article is laughable that it gives no solution, but asks publishers to evolve into oblivion, which I think they won't.
Some people are so pissed that publisher got anti ad blocker in place, yet claim they won't pay to their shitty articles whatsoever. But then again, if you don't read those shitty articles that much, why are you so pissed in the first place?
After all you need to pay what you consume, and ad is one way of it. It is not perfect, nor evil. Your call then.
That's always going to significantly limit paywalls online. Too much competition from hobbyists and non profits that see their goal as helping people rather than selling their work.
Do newspaper work with individual advertisers, or do they work mostly through local marketing firms? The answer is again the same as above. Buying a news ad is commonly done through a marketing firm and the news paper is always responsible for what is printed.
Very few publisher in any media deals with individual advertise clients, and yet it works. Responsibility is done through contracts, through professional liability and standards, and as last resort through business insurance. As a result, its quite uncommon to see illegal ads on physical newspapers, on TV, on busses, and on other physical objects.
Now, they do also do more manual vetting, but they can afford to, because again, the ads cost more. Maybe online ads need to cost more too. It just means that some fraction of the current legitimate advertisers will no longer have sustainable business models.
Or you could have ad networks that only circulate carefully vetted/curated ads.
Imagine if you had an ad network that was picky and only allowed ads that were clever/interesting, short, not annoying, and didn't lead to malicious/fake products!
Also, even if you could catch everything with manual human vetting of every ad, it would be cost-prohibitive. (Either you would have to pay less to publishers, or charge more to advertisers. The latter would likely be a non-starter, because it is already difficult for most small advertisers to run positive ROI campaigns. The former would put further pressure on publishers, making them even less likely to accept the risk of these proposed lawsuits.)
I would love to see online advertising improved, and I think there are certainly possible ways to go about it. I'm just trying to illustrate that it's not as easy as, "don't let people publish or distribute bad ads."
To borrow the analogy from the article, we couldn't stop spam by going after the email providers for allowing it through.
No, you make it simpler than that
you simply forbid ads to be interactive or to contain any code
eg. you do only static ads like text, image, video
no code, no way to hide nasty stuff
Basic incentives - until they're fixed nothing will change.
Or they would be forced to seek agreements with ad networks to cover such faults. Insurance, in some form.
Isn't that what google did when facing the need to monetize their search engine ?
The mafia comparison is targeting adblock plus for their "do your ads as we say, give us a 30% cut of the money you make and we may whitelist your ads (only if you're big enough as in at least 10m ad impressions)" feature[3].
[1]: http://www.nextinpact.com/blog/97835-pourquoi-next-inpact-ar... [2]: http://www.nextinpact.com/publicite-partenariat [3]: http://www.theguardian.com/technology/2016/feb/25/adblock-pl...
The implementation is current broken largely due to a lack of regulation and enforcement in the industry but this can easily be fixed by having better opt-out mechanisms online (3rd party cookie removal went the opposite way). This would allow you to get more generic ads if that's your wish.
This all happens in real time. So the point is, when you get a report of a bad ad on your page, it's almost impossible to even know what network it came from. The networks themselves don't know if they ultimately served you the ad, because maybe they got it from someplace else. And no one can search for it based on the url anyway.
Now, none of those things is unsolvable, although it would take significant new regulation. For instance, when an ad is served through a network, there should be a standardized way to add metadata to the ad to state that it was served via that network. In cases where it is passed through several networks, it would carry each of their metadata, in order from the original source through the various levels until the network that actually serves the ad to the publisher. That would at least allow savvy users to make an informed report to a publisher when they get a bad ad. Something else to look at might be requiring that either 1) the target url of an ad points directly to the eventual landing page, or 2) if a redirect is made, the original url be encoded either in the new url (as a fragment id perhaps) or at least as metadata in the page. There are probably plenty of caveats there. But if a user clicks on an ad and finds themselves at some page, there should be some way to figure out what ad took them there. That isn't currently the case.
Identifying the networks an ad has passed through would be the responsibility of those networks (with a standardized way of doing so). Avoiding or identifying redirects would be the responsibility of the advertisers, but networks would have to be required to periodically test ads for compliance.
An analogy is financial-auditors -- a human has to be present and sign even if the report is for a company behind 10 shell companies.
Almost a decade ago, ads about subscription services went through a major change. The government dislike how "free" was used in services where all the costs was hidden in the fine print. As such, all ads related to subscriptions was changed so the the total price must be very explicit in the ad. The TV, news papers and street advertisement immediately changed as a result, mostly by stopping having advertisement for such services. They were afterward put back once marketing firms learned how to stay compliant with the decision.
Even further back in history there was a ruling against advertisement that targeted children, where there was one particular channel that went a bit further than everyone else. After the ruling, they stopped.
Now, one could assume that the sword is only dangling above the TV networks and the news papers are running wild with scamming advertisement. Except that I can find rulings (by the consumer protection agency) that target advertisement in print. A ruling in 2003 made a decision against a home catalog, ordering the company to stop printing a style of advertisement (about weight control) or face a fine of $40000 per issue.
Sweden don't have much general classified ads in newspapers, so I guess that might answer why I don't see so many shady versions. Jobs ads are done through the government job agency, and selling things through newspapers tend to be quite expensive so its almost exclusively about cars, boats or houses. Criminals tend to target cheap alternatives so that a failed attempt has less of a sunk cost, which means those who has no vetting process and minimal investment.
For example, if I want the latest information about Zelda U, I wouldn't go to IGN or Kotaku or Polygon, but instead to Zelda Informer, Dungeon or Wiki depending on what exactly I was looking for. If it was more general information, then that's what the likes of GoNintendo are for.
Of course, I could always just go to the company instead of a middleman; most of them are moving towards marketing straight to the consumer rather than the press. Given that most of say, IGN's information comes from summarising things like Nintendo Directs and E3 presentations, or from what's trending on Reddit or Twitter or Youtube, it seems more logical to go straight to the source than through the middleman.
Would this work in all fields? No, stuff that's dangerous or complex (like say, reporting on the war in Syria or what not) tends to need more professional organisations. But if you're after information on games, TV shows, movies, music, celebrity gossip or sports, then to some degree you can pretty much entirely replace the professional media with fan sites and blogs.
It's also why paywalls are going to be a problem even in the short term; anything factual you put behind one is going to end up on the fan run sites and aggregators anyway. If a big site puts something interesting up behind their paywall, then it'll be maybe about ten minutes before someone's ripped the whole thing, stuck it on sites like Youtube and its then been posted across the entire blogosphere.
Paywalled content is going to need to be more than facts, in fact if it's just facts then most news sources are overkill. Rather its the voice and other in-depth journalism that would demand a premium. In this case though there are pretty powerful copyright protection systems in place that it's not really a worry. The same reason why little youtube players complain about stolen videos but not the big studios.
https://www.google.com/settings/u/0/ads/authenticated
https://www.google.com/settings/u/0/ads/anonymous
Others can be found with a simple Google search.
Well I would agree, but ahem popups, popunders, sound, retargeting, tracking, simulated download buttons, simulated anti-virus messages, animations, sound, maximise on rollover, sound (sound there multiple times intentionally :p)
Now then, an industry that resorts to every underhand trick they can think of is not doing much to have my sympathy.
If I could visit a site with ADS, and just ads, without any tracking, retargeting or other trickery I'd gladly have the ads for that site on permanently. By the same token I wouldn't even mind seeing ads on the sites I actually paid for if they were locally hosted and tracking free.
> Note in print days, you still pay your subscription, yet you get shit loads of ads
How many print ads had sound, retargeting, tracking or dropped malware? Comparing apples and oranges here.
Oh no, just to make the internet usable I need to block >50% of the domains a page tries to load. So to turn on ads I need to figure out which of the 20 blocked domains and 10 blocked scripts will let ads through. But tracking and retargeting gets enabled when you do that. Fuck that.
Simple ads, no tracking. It's not hard.
I'm not pissed about the anti ad-block. I'm pissed because the sites show up when I'm searching in the first place. I'm pissed because I go to the site thinking I can get the information I was teased with in my search only to find out I've been tricked. I'm forced to do something (unblock the ads), accept some fake implicit agreement (you agree to look at our ads), and be spied on (all the trackers) before I can get to the content I was lead to believe was there.
The fix is to remove all blocked content from the search so we won't even know it exists in the first place. We won't get upset, we won't get blocked, the sites won't get content "stolen" by those who won't view or click the ads to being with. Everybody's happy. Win Win.
The way we consume media has changed. 20 years ago I'd have a daily newspaper to read on the commute and subscribe to a few magazines - say 5 a month.
In today's terms a spend of perhaps £1.50 a day for media.
Now I'll read 5 articles on the Guardian, 5 on Ars, 1 on Wired, 2 on the register, 1 on the Telegraph, 1 on NYT, another on The Atlantic etc, etc. Tomorrow will be a different selection. If I bought subscriptions as they are typically set online I'd be spending £30 or something a DAY on media. That's ridiculous.
So yes, there needs to be a better micro payments model for media consumption. I'd happily pay. The Google way of doing it is closest thus far, but doesn't give me any control of who gets paid. eg I'm not happy with a percentage of my micro spend going to the clickbaity upworthy article I clicked and bounced straight off.
It's not just the graphic used by the ad, it's also the ad's destination.
The clickthrough rate on internet ads is execrable. Frequently in the fractions of a percent at best.
No other advertising space operates on the assumption that linking represents.
Eliminating linking and leaving pure visual ads would be in line with every other form of advertising in existence, and eliminate the "problem" of click fraud, link-bait, and actually fraudulent links.
Do we really need a business model that exists largely to enable ad networks to defraud each other and consumers? We have advertising standards bodies that are meant to prevent this kind of thing in every other form of advertising, but somehow the internet is "special"?