Slashdot Mirror

If one of the jurisdictions that bans running an anonymous business is your home state, such as California, you'd have to move as the first step of opting out. If one of them is your home country, such as countries in the European Union, good luck seeking a work visa elsewhere.

If one of the jurisdictions that bans running an anonymous business is your home state, such as California, you'd have to move as the first step of opting out. If one of them is your home country, such as countries in the European Union, good luck seeking a work visa elsewhere.

See my 2010 paper "'Places' spam - the new front in the spam wars." As I wrote back then, "The two phases of spamming Google Places are the insertion of fake business locations and the creation of fake reviews. Both are embarrassingly easy." That hasn't changed.

Google doesn't fix this 4-year-old problem because Google makes money from bad search results. If search results take you directly to the business selling whatever it is you want, Google makes no money. If you're detoured through some Demand Media content farm, Google makes ad revenue. If you get fed up with being sent to ad-choked sites and click on a Google ad, Google makes money. Organic search that sucks is a fundamental part of Google's business model.

Technically, it's straightforward to fix this. Business data has to be checked against sources businesses can't easily manipulate, such as business credit rating companies. A business that reports fake store locations to Dun & Bradstreet or Experian will soon have a very low credit rating.

Bing or Yahoo could beat Google at search quality. They have the same spam problem, but it doesn't make them money. That's because Google has most of the third-party advertising market. Web spam on Bing drives traffic mostly to sites with Google ads, not Bing ads.

The real search engines are Google, Bing, Baidu (China) and Yandex (Russia). Everybody else, including Yahoo, is a reseller. Yandex has been doing some interesting stuff lately with linkless search ranking, and Baidu just opened a Silicon Valley office.

Yahoo's Marissa Mayer announced last January that Yahoo was getting back into search. (They've been reselling Bing since 2009.) That appears to have been a bluff to get a better deal from Microsoft. There's no indication of Yahoo actually building a search engine. No relevant job ads, no data center buildout, no increased crawling by Yahoo bots, no high-profile hires, no buzz in Silicon Valley.

Bing ought to be doing better than it is, but they're reported to have management problems. Every year, there's new top management at Bing, and it doesn't help.

I wonder how much this has to do with an attempt to comply with statutes against anonymous Internet businesses. Do these statutes have a reasonably rich body of case law yet?

Twitter prohibits spam filters. You're not allowed to write a Twitter client with a spam filter. If you do, Twitter will invalidate your OAuth code. So people actually see Twitter spam. That makes Twitter a spam magnet.

Of course they have huge numbers of fake users. Want to create some fake Twitter accounts? Just get Twitter Account Creator Bot: "... automatically creates thousands of accounts per day without any human intervention ... " Now only $225. Also available: Twitter Follower Bot ("can follow thousands of profiles using keywords"), "Twitter IDs Grabber Bot", and "Twitter Tweets Replier Bot".

If you don't want to do it yourself, you can just buy Twitter accounts in bulk. 20,000 Twitter accounts for $400. That seems to be the going rate; BuyAccs.com also quotes $400 for 20,000 accounts (with avatar!). Google+ and Facebook accounts cost about 5x as much from the same suppliers. When you see low, low pricing for bulk social network accounts, you can be sure the service isn't trying very hard to stop spammers.

There's no problem finding social network spamming services. They advertise openly. Just search Google for "bulk twitter accounts". You don't have to go on Black Hat World, build up a reputation, and get into the closed forums. You don't have to get "bulletproof servers" in some third world country. The social spammers aren't hiding.

(Ad: we could stop this by using SiteTruth to find spam links in tweets. I prototyped a Twitter client with spam filtering and tested it. But Twitter doesn't allow that. "Sponsored tweets" have to get through, you know.)

Back in 2011, I wrote a paper, "Social is bad for search, and search is bad for social" There, I described the social spam ecosystem, from the SEO firms to the phony account generators to the proxy sellers. I named some of the big social spammers.

Most of the same companies are still social spamming. In the paper, I mentioned "Google Plus1 Supply". They're still active. They're still selling "+1"s. Their site looks almost exactly the same as in 2011. But their prices have gone down, and their number of fake "+1"s sold has increased from 4 million to 33 million. BuyPlus1Fans.com is still up.

Where do they get the accounts? BulkAccounts.com is still up, just like they were two years ago. They're an outsourcing firm, using low wage labor to create new accounts. For an automated approach, there's JetBots, which claims to be able to create 250,000 new accounts per day on a fast connection. They offer "CAPTCHA Bypasser", which runs CAPTCHA's through OCR, and when that doesn't work, ships them to an outsourcing firm for manual recognition. Once the account is established, their "voter bots" add any desired number of stars to reviewed items.

Facebook is no better. BulkLikes.com is still up. In 2011, they charged $260 for 500 Facebook fans. Now, it's only $70 for 1000 fans.

Old-style link spamming was expensive - spammers had to set up content farms, run servers, refresh them with interesting content, and worry about their farm being blacklisted. Social spamming is cheap - Google, Facebook, and Yelp host the spam for free. Yelp tries to push back against social spam; they've sued some spammers. But Google and Facebook don't seem to be trying at all. The fact that the big spammers of two years ago are still big spammers clearly show this.

I think the pertinent question is whether Microsoft or Google or Yahoo should responsible for the ads they show.

That's a very good question. Because the major search engines do not vet their advertisers very well. Google had to pay $500,000,000 to the USDOJ when they were caught willfully running ads for an obvious drug dealer. (No, it wasn't about "Canadian pharmacies". Some Google apologists tried to spin it that way, but the details came out.) Google has since clamped down. They had to; they were on DOJ probation for two years, with felony charges hanging over them. "Oxycontin no prescription" no longer returns ad results. Same for "viagra". Bing now pops up an "Is it legit?" box for searches like that.

Google's clampdown was narrow. Searches with "foreclosure" and "credit repair" have a high population of scammers. Financial search keywords carry a high price, because the marks can be taken for big amounts.

It's possible to measure basic advertiser legitimacy. We do that with SiteTruth, which tries to find the real-world business behind the ad. For over 30% of Google advertisers (by domain name), there's no identifiable real-world business behind the ad. (Running an anonymous business is illegal in some states and in the EU.) That's embarrassing, and highly profitable for Google.

My 2011 paper "Social is bad for search, and search is bad for social" mentions that. It also names providers of fake "likes", fake "+1"s, fake reviews (some of which are very funny), fake accounts, fake IP addresses, and fake phone numbers for fake account verification. There's a whole ecosystem out there generating this junk.

Most of the sites identified in that paper are still in business. Some of the more blatant ones are "bulkaccounts.com" ("1000 Twitter accounts for $99") and "pvaspot.com ("We Offer Top Quality Forwarded Phone Numbers used to create Phone Verified Accounts with a no questions asked 100% guarantee at Competitive Prices with Excellent Customer Service."). The fact that the same sites are active after two years indicates that the major social media networks can't or won't stop them.

As we point out in the paper, social media spam is cheaper and easier than link-farm spam. With a link farm, you have to set up servers, keep them up, fill them with fresh content. This gets expensive. With social media spam, the social media service hosts your spam for you, for free!

One of the things our SiteTruth system does is report on major sites that host phishing scams. There are only 34 such sites today. As it has been for several years now, Google is at the top of the list.

Here's the list of all known phishing sites currently hosted by Google.. Scroll down through all that background data about the company to a big block of red "phishtank report (2013-02-01): Phony site reported via PhishTank." lines. Click on the links for a PhishTank report. The raw data comes mostly from PhishTank. Most exploitable hosting services (especially short-URL services) check PhishTank and the APWG list automatically, but not Google.

Google has several vulnerabilities. It's possible to host an attack page not only on Google Sites and Google Docs, but also on Google Spreadsheets. Recently, Google added a new attack vector; there's an open redirector at Google Accounts.

Amusingly, for some, but not all, of these phishing sites, Google's own anti-phishing warning pops up. But the part of Google that generates that blacklist clearly doesn't talk to the part of Google that does hosting.

Here's the oldest phishing site hosted by Google. On line since 2010-12-30. It's one of those "Habbo Coins" phishing pages, probably forgotten by the original attacker, since it forwards to a dead Hotmail account.

When we first started doing this analysis, Google wasn't on the list, because they didn't do hosting. There were about 150 sites listed in 2009. Through improved awareness, nagging and the Anti-Phishing Working Group, we're down to 34 - a few little sites with no clue, ones that just got hit by break-ins, and "bit.ly", which tries to keep up with their abuse problem but is falling behind. MSN, Yahoo, TinyURL, and most of the other big-time victims long ago solved their problems in this area. Google stands alone as a major service with an incompetent abuse department.

One of the things our SiteTruth system does is report on major sites that host phishing scams. There are only 34 such sites today. As it has been for several years now, Google is at the top of the list.

Here's the list of all known phishing sites currently hosted by Google.. Scroll down through all that background data about the company to a big block of red "phishtank report (2013-02-01): Phony site reported via PhishTank." lines. Click on the links for a PhishTank report. The raw data comes mostly from PhishTank. Most exploitable hosting services (especially short-URL services) check PhishTank and the APWG list automatically, but not Google.

Google has several vulnerabilities. It's possible to host an attack page not only on Google Sites and Google Docs, but also on Google Spreadsheets. Recently, Google added a new attack vector; there's an open redirector at Google Accounts.

Amusingly, for some, but not all, of these phishing sites, Google's own anti-phishing warning pops up. But the part of Google that generates that blacklist clearly doesn't talk to the part of Google that does hosting.

Here's the oldest phishing site hosted by Google. On line since 2010-12-30. It's one of those "Habbo Coins" phishing pages, probably forgotten by the original attacker, since it forwards to a dead Hotmail account.

When we first started doing this analysis, Google wasn't on the list, because they didn't do hosting. There were about 150 sites listed in 2009. Through improved awareness, nagging and the Anti-Phishing Working Group, we're down to 34 - a few little sites with no clue, ones that just got hit by break-ins, and "bit.ly", which tries to keep up with their abuse problem but is falling behind. MSN, Yahoo, TinyURL, and most of the other big-time victims long ago solved their problems in this area. Google stands alone as a major service with an incompetent abuse department.

The trouble with crowdsourcing is that crowds can be sourced. I've been pointing this out for several years now. My "Social is bad for search, and search is bad for social" paper covers this. Some review spam is remarkably inept. My favorite, in the paper, is a set of three restaurant reviews that were clearly scraped from reviews of a car wash. Carpet cleaning reviews on Yelp tend to be amusing. The same phrases reappear in many reviews. Many reviews mention a company different than the one being reviewed. We know, of course, that over 80 million Facebook accounts are fake. Many of those fake accounts are being driven by 'bots posting fake reviews and social stats.

Social spam has been around for years, but went big-time in 2010. In Q4 2010, Google merged Google Places results into main web search. Google Places results could be easily spammed with fake reviews before that, but few people had bothered until those results boosted rankings in web search. Then the spam floodgates opened. Google was so heavily spammed that the mainstream press noticed. Google had to back off a bit on using Places results in web search to get their search quality back up.

The legacy of that debacle is that it became widely known that social spam was a safe, almost respectable SEO activity. Link farms, the previous way to spam Google, are expensive to run, and when Google detects one and blacklists it, an entire server farm suddenly becomes useless. Social spam doesn't put SEO operators at risk. The social networks even host the spam for free!

There's a potential winner in this - Amazon. Amazon knows if you actually paid money for the thing. They have identity data from credit cards. Amazon can still be spammed, but the spammer has to spend money, so the cost per spam is high.

Our paper from November 2011, "Social is bad for search, and search is bad for social", covered this last year.

Barracuda Networks doesn't even seem to have published a paper. (The article linked in the Slashdot article is a scraper site for press releases.) The Barracuda press release points to an "infographic" and a blog posting which, as their only outside source, links to a black hat site.

Barracuda doesn't seem to have discovered the extent of the social spamming ecosystem. We identified at least 6 levels:

• Advertising agencies.
• SEO firms. ("Google Places Guaranteed")
• Fake review, "like", "+1", and "retweet" generators. ("Buy Facebook Fans with us today and watch your popularity boom.")
• Fake account generators, both automated and outsourced to low-wage countries. ("Bulk Accounts is the largest mass account generator out there. ...Gmail, Myspace, Youtube, Facebook, Twitter, Hotmail and much more...")
• Fake IP address proxies and fake phone numbers ("Premium Private Proxies", "Top Quality CL Phone Numbers used to create Craigslist PVAs")
• Botnet operators providing proxies on compromised machines. Now we're down at the organized crime level.

This structure insulates the legitimate businesses who use ad agencies from the criminal activity at the bottom. Except for the botnet operators, everybody in that ecosystem has some kind of web presence, although towards the bottom, they usually have only Skype and Gmail accounts as contacts. I'm not going to link to them here, but our paper gives actual names.

I've been pointing this out for some time now. See my paper "Social is bad for search, and search is bad for social". As soon as some social signal feeds into search ranking, it gets spammed.

Social spamming is cheaper and easier than classic link farm spamming. Link farms cost money to set up and run. Social spam is hosted for free by Facebook, Google, Yelp. etc. Attempts to stop this have not been successful. Even if 80% of fake accounts are killed off, that just means the spammers have to run more fake account generators. Remember Google's "real names" policy? That didn't work out.

Google, and, to a lesser extent, Bing, are running into a big problem - most of their "signals" are spammable. Links are mostly spam - who links to sites that exist only to advertise? Most content, by volume, is now spam - spam blogs, scraper sites, AOL, and Demand Media. There are even spam newspapers, newspapers that get their content from Demand Media and PR Newswire. The San Francisco Chronicle does this, and fake PR then "stories" show up in Google News.

Google tried weighting links less in their Panda update.. It didn't help. Their results in heavily spammed areas became semi-random, and social spamming went up.

That's why there are all those fake accounts.

Here's our current list of major domains being exploited by active phishing scams. Notice who's at the top of the list. Google.

We've been generating that list for years. It's based on PhishTank data, updated every 3 hours, and uses Open Directory to decide if a site is "major". 46 domains are on the list today. 9 have been on the list since 2011 or earlier. One has been on the list since 2010 - Google. Google is the last free hosting service unable to clean up their phishing problem. MSN, Yahoo, and various free hosting services have been successful at aggressively cleaning up phishing problems, and haven't been on this list, other than briefly, for years.

Here's the oldest phishing attack hosted by Google, up since 2010: "Free Habbo Coins. Email your username and password to..."

For years, Google didn't realize that Google Spreadsheets could be used to host phishing sites. They finally caught on, and there's now a "report abuse" button on spreadsheets. Most, but not all, of the spreadsheet-hosted phishing sites have been taken down.

If anybody from Google is reading this, go over to your abuse department and apply a clue stick. It should embarrass someone that Google is the most clueless free hosting provider in the world about phishing.

Re:How far behind were the criminals/spammers?

At about 75%, from what I read on the black hat forums.

There's a whole social spam ecosystem out there now, with tools and services for spamming Facebook, Twitter, Instagram, Google+, Yelp, Tumblr, Youtube, random blogs, and for retro types, Myspace. It's not just a few people doing this. It's an industry with a supply chain. Read my "Social is bad for search, and search is bad for social" paper for an overview. If it feeds into Google search rankings, it's being spammed.

It seems to me that you could do a p2p certificate authority where a certificates trust is based on the number of people who trust the cert as well as a past history of your trusts.

As someone else pointed out, that's Moxie's other project, Convergence. The trouble with "web of trust" schemes like that is fake "people", i.e. dummy accounts. Dummy account generators have trashed Craigslist, turned Hotmail into a reply service for spammers, garbaged Gmail, filled Google+ with fake accounts, and created vast numbers of bogus Yelp reviews. See my paper "Social is bad for search, and search is bad for social." for the details of who does that dirty work.

The trouble with crowdsourcing is that crowds can be outsourced.

There's a whole industry out there spamming "social". At the top are the advertisers who want results and don't ask too many questions. Below them are the SEO firms, advertising things like "Guaranteed first page listings or your money back". Below them are the businesses that sell "bulk Likes", "+1"s, and fake reviews.

But that's not the bottom of the swamp. The people generating fake social rankings need services to help them. So there are outfits which sell fake Google, Facebook, and Yelp accounts in bulk. Software companies which sell tools for creating fake accounts in bulk. ("250,000 +1 votes per day on a fast connection" ) Outsourcing firms which create fake accounts. These operations tend not to advertise openly, but can be found on "black hat" SEO forums.

They, in turn, need support services. They need fake IP addresses and fake phone numbers for verification calls. There are services to provide those. You can rent phone numbers in bulk for 20 minutes. Bulk IP addresses, needed for bulk fake account creation, come from proxies, many of which come from malware on compromised machines. This is down at the organized crime level.

See our paper "Social is bad for search, and search is bad for social" for the gory details.

This all started in late 2010, when Google started feeding "local" social data into web search results. There had been social spamming before that, but it was a minor business. Once Google went "social", social spamming took off. Now, social spamming is mainstream SEO. It's cheaper than running a link farm. It's also safer. There's seldom any retaliation from the search engines for social spamming. Even if they detect a fake social account, they can't tie it back to the source. With link farms, the whole farm can be banned, which can shut down a SEO firm.

Take a look at their ratings of major sites. That's a simple feature comparison checklist chart, but hard to read. Graphically, all the info is conveyed with colors only, which is awful. From a graphical standpoint, the icons are non-obvious. The picture of a human in a circle means "you can view and export your personal data". From a data collection standpoint, everything is either self-reported or manually set for major web sites, so there's a scaling problem. From an accuracy standpoint, Facebook has "will alert you to material changes" and "you can access all of your data" set to True, which is somewhat questionable given Facebook's history in those areas.

Compare "The evolution of privacy on Facebook" Now that's an excellent, and original, graphical representation of Facebook's privacy issues.

Presenting detailed information with multiple icons creates confusing visual clutter. Here's the chart for the international standard fabric care icons found on clothing labels.A liquid-filled cup with two dots and an underline means "Machine wash, warm, permanent press". A triangle with two diagonal lines means "Bleach with non-chlorine bleach as needed". Did you know that? It's on most garments.

We've struggled with this problem for SiteTruth We collect information about the business behind a web site, and present it to the user through browser add-ons. Doing this both concisely and effectively is tough. Right now, we have red, yellow, and green icons, with "do not enter", question mark, and checkmark graphics. We're about to launch a new system which brings up a small "dog tag" on link mousover, with information about the business. The dog tag uses text, not icons.

Is there any reliable source of data that rates company policies against some objective criterion? Something that's not just an unsorted collection of complaints or anecdotes? There's EULAlyzer, which tries to do this by recognizing stock phrases. Anything else?

Incidentally, Netflix won't even let you read their EULA unless you let them plant a cookie. That's tacky,

If I could find something like that, I'd put it in SiteTruth, and have it appear when you mouse over a link or search result. Currently we report the location of the business and, when available, the annual revenue and number of employees, with links to SEC and BBB reports. The goal is to provide consumers with data that allows them to tell how legitimate the company is. Data that doesn't come from the company. (Or from their social spammers. Most favorable crowd-sourced "reviews" are now solicited, if not outright fake.)

As more and more people have focused on 'winning' the search results on google, I've gotten more and more 'wrong' results there. Bing has caught up with the google of today, and sadly neither can compete with the google of 4 years ago.

That's what comes from using "social" signals in search. "Social" is very easy to spam. Fake reviews, fake "likes", fake "+1s"... The social networks even host the spam for free - no expensive link farm to host and update.

Google tried their "real names" policy on Google+ to put a stop to that. That failed. Then they tried correlating what all their users are doing across all their services. That has over 30 US state attorneys general and the European Union after them. Fail.

There's a whole industry out there spamming Google+. There's "googleplus1supply.com", ("total +1s sent to our clients: 25,364,921"), "plus1sem.com" ("Buy 2000 Google Plus Ones and SKYROCKET your rankings") "buyplus1fans.com" ("Our service helps boost your Google +1 presence which will convert into higher rankings equaling more customers!"), and "buyrealplusone.com" ("Crush your competition!"). A sizable fraction of Google+ accounts are probably from spammers.

We have a paper on this: "Social is bad for search, and search is bad for social", which is a tour of the social spam ecosystem. At the top are advertising agencies, which hire SEO firms to boost their rankings and don't ask too many questions. The SEO firms buy those fake "+1"s, "Likes", and, until Google stopped counting them, "tweets". The businesses which sell the +1s and "likes" deal with firms that create and sell fake Google and Facebook accounts. Further down into the slime are the businesses that sell short-term IP addresses and phone numbers for verification of the fake accounts. Down at the bottom are the botnets that host much of this.

Social networking is the web spammer's dream. No expensive link farm sites to host and fill with fresh content. The social networks host your spam for you, for free.

Narrowing the reach of "social" signals with "circles" and friend lists helps a little, but not all that much. That's why there are programs which generate accounts which appear to be from young women.

It's not just JotForms. Google is now the leading site being exploited to host phishing pages. Google has reasonable defenses against phishing for their "sites" product. However, Google doesn't seem to have those protections on their document and spreadsheet products. Here's a fake login form hosted by Google. That's been up since 2010. Here's a fake login page hosted as a Google spreadsheet. Google allows unlimited HTML in a spreadsheet, which means it can be abused in this way. We have a full list, if anyone is interested.

"formbuddy.com" and "surveymonkey.com" can also be abused in this way. Formbuddy seems to kick phishing pages off quickly. Surveymonkey, not so good at this.

If you offer free hosting, and don't have aggressive anti-phishing controls in place, you will be pwned.

Google is scraping the bottom of the barrel on search "signals" here. Originally Google used links as a metric, and those were spammed with link farms. In 2010, they started using more "social signals". Google Places turned into a spam farm, and Yelp filled up with obviously bogus reviews. As Google used more "social" signals, Twitter filled up with spam tweets, Facebook got phony "likes", and a market developed in Google "+1"'s.

Social spam is worse than link spam. With link spam, spammers had to pay to set up and maintain link farms of fake sites. There were ways to recognize link farms. With social spam, the social networks host the fake accounts and their spam for free, and fake accounts are harder to recognize. Google tried a tough "real names" policy for Google+, and had to back down in the face of user and political opposition.

Anything Google uses as a signal gets turned to shit. Social is bad for search, and search is bad for social.

As a language, Javascript is easy. The hassles all come from dealing with the environment it runs in, which is usually a browser. You're making calls to a big, frequently updated, multi-platform thing that almost works. As someone else pointed out, the big headache is testing. Cross-browser compatibility is getting better; you can probably ignore the horror that was Internet Explorer 6 for any new work.

The big difference for someone coming from C is that you don't have to devote half of your attention to worrying about the two big headaches in C - "who owns what", and "how big is this array".You can afford to be more aggressive about data structure design.

Javascript is uglier than Python but less ugly than Perl. The JIT compilers are now quite good, and performance is better than you might expect. A huge number of people program in Javascript (although many of them not very well) so it's not a particularly valuable skill.

I'm currently writing in Javascript (browser add-ons), Python (server-side) and C/C++ (embedded control). After decades of C/C++, I think we should have moved to something better by now for low-level programming. Python is clean, but the implementations are slow. Javascript is in the middle, and adequate for what it's usually used for.

if an HTTPS site uses a certificate that's domain validated, Dragon raises a warning "that the organization operating it may not have undergone trusted third-party validation that it is a legitimate business."

I'm all in favor of checking whether a commercial site has an identifiable, legitimate business behind it. We do that with SiteTruth, and it filters out a huge number of junk sites. We divide SSL certs into three categories - "domain control only validated", "business validated", and "extended validation". A "domain control only" cert has no identify value. The CA/Browser Forum is formalizing this distinction with their new cert issuance guidelines. The 3 levels of certs are now an industry wide standard.

SSL certs aren't the only game in town. There are other hard data sources for validating web sites. We use SSL certs, BBB and BBBonline records, purchased commercial databases of businesses, US Securities and Exchange Commission filings, and a few other sources. If a site is selling something and comes up empty in all of those, maybe you should buy from someone else.

I'm not saying that such sites should be blocked by a browser, though. Moved down in search results, yes. Users warned, yes. Hard blocked, no. (However, links to them in emails, tweets, and forum posts are a good indication of spam.)

Comodo has something of a conflict of interest in checking for certs, but they do accept certs other than their own. It's not a paid "Seal of Approval" racket.

From the article:

"... we've heard complaints from users that if they click on a result and it's difficult to find the actual content, they arenâ(TM)t happy with the experience. Rather than scrolling down the page past a slew of ads, users want to see content right away."

They're right. That applies to Google search results, too. For some popular searches (try "new movies" or "dvd player") the top of the page is full of Google ads, Google shopping, and Google categories. The right column is all ads. The first screen sometimes contains no actual search results at all.

So we fixed it. Our new Ad Limiter browser add-on limits Google (and Bing, Yahoo, etc.) search results to one ad per page.

Why one ad? All things in moderation. Sometimes an ad is useful, while a page of ads in your face is just annoying. Advertisers complain about ad blocking, and try to evade it. Limiting pages to one ad is a reasonable compromise.

Google's ad count per page has been steadily creeping up over the last few years. That's not good for users, advertisers, or Google. Remember what happened to Myspace, which reached new heights in ad clutter shortly before tanking.

Check it out and tell us what you think. Currently available for Firefox and Chrome.

(If you really want to block all ads, AdRater has a preferences option for that. You're in charge.)

We're releasing a Google ad blocker, which is in test now. It lets one ad through, and blocks the rest, to de-clutter Google results. We could add some other blocking capabilities. Let me know what Google won't let you turn off. If you try this, and there are new "social" ads which slip through, we'd really like to hear about it. Thanks.

Google's recent direction seems to follow H. L. Mencken's line "Nobody ever went broke underestimating the intelligence of the American public." Google is getting better at answering dumb questions, and worse at answering hard ones. The problem is that Google now assumes the question is dumb, auto-correcting in the direction of common words and questions. That's yet another problem with feeding "social" data into search. Then they try to patch this by profiling each user with "search customization". But that assumes there's a pattern to an individual user's hard questions. (This leads to the concept that search customization should estimate how smart each user is, a data item which can be sold to advertisers to generate sucker lists.)

It's amazing how few people change their default search provider. That's why this matters so much. Most of Bing's traffic comes from IE's default search box. Google pays Apple something like $100 million a year to be the default search provider on the iPhone.

I'm a little worried about the terms of the agreement not being disclosed. We're launching a search ad blocker that removes all but one ad per page on Google. Bing, and Yahoo search results. We're trying to re-introduce the idea that most of the screen space should be content, not ads, and we put some teeth into that idea with ad blockers. (Yes, you can block all the search ads if you want.)

The first version is a Firefox add-on, and has to go through the Mozilla approval process. It will be interesting to see if "problems" develop there. The controversial new, "soft" version of AdBlock apparently doesn't block Google search ads, while ours does.

This is a step forward. Not a huge step, but a step. There's a standard, and although it's weak, it's at least there. And, importantly, there's a list of who's signed onto complying with it. The CA Browser Forum says that 94% of the issued certificates were issued by their members, and there's a list of all 40 members. All root certs from non-Forum members should be removed from browsers. Some browsers now recognize as many as 200 CAs. A purge is in order.

There's now a way to check whether a CA claims to comply with these rules. If the cert contains OID 2.23.140.1.2.2, the identity of the business behind the cert has supposedly been validated. If the cert contains OID 2.23.140.1.2.1, only the domain behind the cert has been validated. If it doesn't contain either of those, after July 2012, it's worthless. Browsers should be adjusted accordingly. Note that, for the first time, there's an actual verification process for business identity for non-EV certs. This is a big step forward.

I'm very interested in the validation process for business name information, as described in section 11.2.1 of the specification. We use that info in SiteTruth, and we'll be tightening up our cert validation, now that there are standards.

It's not clear how this will interact with Akamai's practice of issuing secondary certs for their customers, so that Akamai's caching servers can present SSL certs from companies Akamai represents. Akamai isn't a CA itself, and isn't a member of the CA/Browser forum.

We've been pointing this out for a while. Our latest paper, "Social is bad for search, and search is bad for social", contains a tour of the social spam ecosystem. There's a whole industry out there selling not just "likes", reviews, and "+1s", but the fake accounts, IP proxies, and fake mail accounts needed to support them. Down at the bottom, the "search engine optimization" industry starts to connect to organized crime. There are several layers to separate the "legitimate businesses" looking for SEO services from the people selling IP proxies on botnets.

Social spam isn't primarily aimed at human readers any more. It's aimed at search engines. When Google started using reviews as a ranking factor for Google Places, and then merged Places results into main search results in October 2010, the social spam boom took off. Really fast. The ads for Google Places spam went over the top. For the last two months of 2010, it was so bad that stories hit the New York Times about how Google had jumped the shark.

We've been pointing this out for a while. Our latest paper, "Social is bad for search, and search is bad for social", contains a tour of the social spam ecosystem. There's a whole industry out there selling not just "likes", reviews, and "+1s", but the fake accounts, IP proxies, and fake mail accounts needed to support them. Down at the bottom, the "search engine optimization" industry starts to connect to organized crime. There are several layers to separate the "legitimate businesses" looking for SEO services from the people selling IP proxies on botnets.

Social spam isn't primarily aimed at human readers any more. It's aimed at search engines. When Google started using reviews as a ranking factor for Google Places, and then merged Places results into main search results in October 2010, the social spam boom took off. Really fast. The ads for Google Places spam went over the top. For the last two months of 2010, it was so bad that stories hit the New York Times about how Google had jumped the shark.

I'm approaching this from the other end. I'm working on a browser-add on which limits the number of ads that appear on a page. The user sets the limit, and we trim out ads accordingly. The ads with lower SiteTruth ratings are deleted first.

This puts the user in control of the ad experience. The problem with on-line advertising today is that there are too many ads per page. This isn't good for advertisers or users.

This will be a big boost to "purchaseplusone.com", "googleplus1supply.com", "buyrealplusone.com" (a Google advertiser, no less) and "plusonehero.com", "buyplusoneservice.com", "buygoogleplus1.net", "buyplusonenow.com", and "plusonesbuilder.com". It will be even easier for them to acquire Google accounts and create "+1" value for their customers.

Social is bad for search, and search is bad for social. As soon as a social service provides a boost to search ranking, it gets spammed. Heavily. This has happened to Google Places., Yelp, Citysearch (really bad there), Twitter (this is why your Twitter feeds are full of spam links), Facebook "likes", and now Google +1. From a spammer perspective, social spamming is easy and cheap. Setting up a link farm requires web sites, unique content, and ongoing site maintenance. Social spam just requires phony free accounts. The social services host your spam for you, for free.

Presumably the smart people at Google have figured this out by now, but they've been told that 2011 employee bonuses depends on Google's success at social. So, from a Google employee perspective, sacrificing search quality for social features makes sense. Google top management got paranoid about Facebook, which is about 1/5 the size of Google and peaked a few months back. (Social networks grow and die like nightclubs, which have a limited lifetime of coolness. Remember AOL, Geocities, Friendster, Orkut, Yahoo 360, Myspace...)

Google search quality efforts are mostly "window dressing", as the U.S. Attorney for Rhode Island put it in his statement about Google's non-prosecution agreement. When ad revenue conflicts with search quality, ad revenue wins. Prof. Ben Eidelman of the Harvard Business School has analyzed this in detail.

The trouble with "malicious URL scanners" that look for malware is that unless they're real-time, they're too late. The lifetime of bad sites is now often measured in hours.

Still, continually detecting the bad guys and beating on them does have effect. Major services have to do it, or they get pwned.

We do some tracking of major sites being exploited by phishers, There are only 29 sites on the list today, one of the shortest lists we've had in years. It's been as high as 140. The URL-shortening sites get hit daily, and kick most of the bad guys off within hours. The free-hosting sites get hit too, and most of them are good about kicking the phishers off. (Piczo and webs.com are not too good at this. t35 has gotten much better. Google has a big problem with people using documents and spreadsheets as phishing sites.)

That may be true in the EU, but here in the US, and only in some states - like New Mexico - it is possible to form a pseudo-anonymous corporation, with absolutely no tiebacks to you other than through the IRS. It's cheap (very cheap), and you can build an unlimited stack of DBAs like Robert Brown or John Smith. I'm not going to even start with the many ways that could be abused.

Yes, there are "low-doc" US states. Nevada is one. However, if you accept credit cards from California residents, there's California Business and Professions Code Section 17358, which requires disclosing the "actual name and address from which the business is conducted". California prosecutors routinely use that provision against scam sites; if the site is doing something slimy and is anonymous, prosecution under 17538 is an easy misdemeanor conviction good for 6 months in jail max.

"Crowdsourcing" search is a very bad idea, because crowds can be sourced.

Google shot themselves in the foot this way last October. They used to count reviews on Yelp and Citysearch in determining placement in Google Places, which, until last October, only affected the search engine for Google Maps. Since few people used the search engine for Google Maps to look for businesses by category, it wasn't spammed much.

Then, in October 2010, Google merged Places results into web search. Within two months, Places spam had overwhelmed search. The SEO efforts had become blatant. (Over-the top promotional video). The mainstream press picked up on the issue, and Google looked really stupid. Around November 2010, Google started de-emphasiziing Places results in web search, and stopped counting Citysearch and Yelp results. That brought the problem down to a merely annoying level.

Then in 2011, Page announced that Google employee bonuses would be dependent on Google getting into "social". So now "social" had to be built into everything. Hence "+1", followed, inevitably, by a market in "+1" boosts. See any black hat SEO forum to buy.

So, to fix that problem, Google has to have more information about Google account holders. This, as Eric Schmidt points out, can be obtained by insisting on real names and mining the user's social data.

Maybe they're doing it wrong.

Google used to have a problem with malware and phishing sites being hosted on their own Google Sites. Once they plugged that hole, the malware moved to Google Spreadsheets. Because you can put HTML in Google's spreadsheets, it can be used as a free hosting service. Google hadn't anticipated this, and their abuse operation couldn't handle it.

Google seems to have plugged the spreadsheet hole now. I noticed recently that Google has disappeared from our major domains being exploited by active phishing scams. There were pages hosted by Google which were in Google's own "this site may harm your computer" blacklist. So their hostile-site detection wasn't coupled to their abuse department. That was kind of embarrassing, but until we publicized it, it didn't get fixed.

Basic truth - run a free hosting service, a free "forms" service, a free "poll" service, or a free URL direction service, and you will end up hosting phishing sites and related annoyances. If you run a free service, you must have an automatic check against the major phishing blacklists, or you will be pwned. This week's big sites being abused by phishers are "piczo.com" (social networking for teenage girls), "webs.com" and "moonfruit.com" (free hosting), and "t35.com" (which, the last time we contacted them, has one poor abuse guy trying to deal with a daily tide of phishing pages by hand).

Those sites are used by the bottom-feeders of the malware/phishing world. The big guys buy hosting with stolen credit card numbers, use botnets, and contract with "bullet-proof hosting services.

There is progress. "Open redirectors" are more or less gone from major sites. Over the last three years, MSN, Yahoo, eBay, and Facebook have all had open redirectors. Publicity and nagging put a stop to that. Slowly, too slowly, IE6 is dying out.

shouldnt block gmail/yahoo/hotmail or other big mail servers.

It's useful to have a penalty in your spam filter for free email services. Google's inbound spam filtering is good. Outbound spam filtering, not so much.

Related to this, the use of free hosting services as spam targets continues. Google spreadsheets, of all things, are widely used to support phishing scams. Here's a Microsoft Webmail Activation Form" embedded in a Google spreadsheet. Because the related phishing emails contain a Google URL, they tend not to be tagged as spam by spam filters. The strange thing about that example (one of 124 such in PhishTank today) is that Google's spam blocking, as used by Firefox, knows that's a phishing page. The anti-phishing part of Google isn't talking to their own abuse department.

We've been tracking this at SiteTruth for years. The Google spreadsheet scam is less than a year old, and is now the most popular attack we see. Some free hosting services (mostly "t35.com", "piczo.com", "webs.com") still get hit, but Google is now #1.

Basic truth: if you offer free hosting or free URL redirection, you must have an automatic cross-check with phishing data sources like PhishTank and the APWG, or you will be pwned by phishers. Free hosting includes spreadsheets, forms, and polls. If the user can put HTML into it, it can be used for phishing.

Our SiteTruth system does some "scraping". We're looking for the name and address of the company behind the web site, so we can check the business out. We also look for ad links and a few other things, like BBBonline seals, which we check. We use a user agent name of SiteTruth.com site rating system. We don't look very deeply into a site; if after examining the most likely 20 pages, we haven't found out who runs the site, we figure they're not going to tell us. The site is down-rated accordingly.

Our experience is that 0.1% of sites have a "robots.txt" file that tells us to not look at any pages at all. We don't look at those sites, and their SiteTruth rating information says "Blocked". Total exclusion of crawlers is rare. Most sites want some visibility.

One of the more amusing uses of a "robots.txt" file used to be seen on Marchex (the "What you need, when you need it" domainer) pages. The site wasn't blocked from crawling, but the link to the page that told you about Marchex was. That, we suspect, was to keep search engines from noticing that all those domains were really one business. That didn't help Marchex much. Marchex (NASDAQ: MCHX) is still around, stock way down from the peak and reporting a slight loss this quarter.

We do have one exception to obeying the "robots.txt" file. We look at the home page of the site to see if it's a redirect before looking at the "robots.txt" file. Some sites have both a redirect and a "keep out" robots.txt file on the same domain. This is like posting signs that say "Keep Out" and "Please Use Other Door" on the same entrance. That contradiction was apparently a workaround for an old Google crawler bug. Google would index both "example.com" and "www.example.com" separately, then consider them duplicates, which caused some SEO problems.

Actually logging into sites from a crawler is just wrong. I'm amazed that a deep pocket like Nielsen would do that.

Google has a dilemma. If their search engine takes you directly to the place you want to go, they don't make any money. For a good analysis of this, see "Google Sucks All the Way to the Bank", by Jill Whalen She is, unfortunately, right. It's essential for Google's success that some of their own ads be more relevant than their search results. Part of their revenue comes from sending users on a side-trip to AdWords-heavy pages. We've measured this, using a browser plug-in which reports AdWords appearances to us. About 36% of domains with AdWords (counting domain names, not traffic) are what we consider "bottom feeders", junk sites with a commercial purpose but no identifiable business behind them.

On the local search front, spam in Google Places is even worse than in their main search results. This, though, appears to be due to ineptitude, not malice. Google added a business search system to Google Maps a year or two ago; that's what Google Places really is. You've been able to go to a Google Maps page and search for businesses for some time now. Few people knew this.

Then, in October 2010, Google merged the map search results into their main search results. "Places" results suddenly got top billing in Google. The "search engine optimization" (SEO) industry swung into action, and began spamming Google Places on a massive scale. (We have a paper on this, which has been mentioned by Techdirt, the New York Observer, etc. It's an amusing read.) Recommendation spamming, which had been going on for a while at a low level, grew substantially once recommendations started affecting Google search results.

This, incidentally, is why Blekko won't work. If they get enough market share to matter, techniques will be developed to spam them into meaninglessness.

Stopping web spam is technically quite possible. We do it by finding the business behind the web site, and doing some automated due diligence. We check business records, SEC filings, BBB ratings, and Dun and Bradstreet to verify business legitimacy. We down-rate most of the junk. We try to err in the down-rating direction, taking the position that it's the job of a company to demonstrate their legitimacy by using their real name and address on their web site, which has to match real-world business records. Our demo site demo site for this shows what search is like if you take a hard line on spam.

Our approach requires more of a hard-ass attitude than Google's business model can perhaps afford. With Bleekko making Google look foolish, though, and Bing slowly improving, Google may have to actually do something that works, even if it cuts into revenue from the spam.

Google has a dilemma. If their search engine takes you directly to the place you want to go, they don't make any money. For a good analysis of this, see "Google Sucks All the Way to the Bank", by Jill Whalen She is, unfortunately, right. It's essential for Google's success that some of their own ads be more relevant than their search results. Part of their revenue comes from sending users on a side-trip to AdWords-heavy pages. We've measured this, using a browser plug-in which reports AdWords appearances to us. About 36% of domains with AdWords (counting domain names, not traffic) are what we consider "bottom feeders", junk sites with a commercial purpose but no identifiable business behind them.

On the local search front, spam in Google Places is even worse than in their main search results. This, though, appears to be due to ineptitude, not malice. Google added a business search system to Google Maps a year or two ago; that's what Google Places really is. You've been able to go to a Google Maps page and search for businesses for some time now. Few people knew this.

Then, in October 2010, Google merged the map search results into their main search results. "Places" results suddenly got top billing in Google. The "search engine optimization" (SEO) industry swung into action, and began spamming Google Places on a massive scale. (We have a paper on this, which has been mentioned by Techdirt, the New York Observer, etc. It's an amusing read.) Recommendation spamming, which had been going on for a while at a low level, grew substantially once recommendations started affecting Google search results.

This, incidentally, is why Blekko won't work. If they get enough market share to matter, techniques will be developed to spam them into meaninglessness.

Stopping web spam is technically quite possible. We do it by finding the business behind the web site, and doing some automated due diligence. We check business records, SEC filings, BBB ratings, and Dun and Bradstreet to verify business legitimacy. We down-rate most of the junk. We try to err in the down-rating direction, taking the position that it's the job of a company to demonstrate their legitimacy by using their real name and address on their web site, which has to match real-world business records. Our demo site demo site for this shows what search is like if you take a hard line on spam.

Our approach requires more of a hard-ass attitude than Google's business model can perhaps afford. With Bleekko making Google look foolish, though, and Bing slowly improving, Google may have to actually do something that works, even if it cuts into revenue from the spam.

If someone's looking for information or something else for free, then you need a different criteria.

Right. Recognizing "commercial intent" is tough. SiteTruth's current implementation is simplistic. SiteTruth considers all domains in ".com" to be commercial, and any domain with an ad from any of the major ad services causes a site to be treated as commercial. Put up a blog with no ads in some other TLD, and it's treated as non-commercial. This is hard on anonymous ad-supported blogs, but at this point, most anonymous ad-supported blogs are spam.

The SiteTruth demo shows what happens if you take a hard-ass attitude towards spam. The major search engines have been too soft on spammers, content farms, spam blogs, ad-heavy pages, and similar junk. The result was a massive increase in web junk. We took a hard line. There's far less spam, and although there's some collateral damage, it appears to be acceptable.

One of the amusing bits of collateral damage can be seen in SiteTruth's rating of Google. Google gets a red "Do Not Enter" sign today. Why? Because they're hosting some phishing sites. Scroll down past Larry Page's SEC filings (when we say "know who you're dealing with", we mean it) to the red "Phony site reported" list. Google Spreadsheets is hosting some phony login pages. Crooks can abuse Google Spreadsheets for phishing purposes, and reporting them to Google doesn't seem to help. So Google is now second from the top in our list of "Major domains being exploited by active phishing scams". We down-rate the whole domain for that. About 25 to 75 domains are on the list on any given day, but only 16 have been on the list for more than 3 months. That's a quantitative indication of an ineffective abuse department.

If someone's looking for information or something else for free, then you need a different criteria.

Right. Recognizing "commercial intent" is tough. SiteTruth's current implementation is simplistic. SiteTruth considers all domains in ".com" to be commercial, and any domain with an ad from any of the major ad services causes a site to be treated as commercial. Put up a blog with no ads in some other TLD, and it's treated as non-commercial. This is hard on anonymous ad-supported blogs, but at this point, most anonymous ad-supported blogs are spam.

The SiteTruth demo shows what happens if you take a hard-ass attitude towards spam. The major search engines have been too soft on spammers, content farms, spam blogs, ad-heavy pages, and similar junk. The result was a massive increase in web junk. We took a hard line. There's far less spam, and although there's some collateral damage, it appears to be acceptable.

One of the amusing bits of collateral damage can be seen in SiteTruth's rating of Google. Google gets a red "Do Not Enter" sign today. Why? Because they're hosting some phishing sites. Scroll down past Larry Page's SEC filings (when we say "know who you're dealing with", we mean it) to the red "Phony site reported" list. Google Spreadsheets is hosting some phony login pages. Crooks can abuse Google Spreadsheets for phishing purposes, and reporting them to Google doesn't seem to help. So Google is now second from the top in our list of "Major domains being exploited by active phishing scams". We down-rate the whole domain for that. About 25 to 75 domains are on the list on any given day, but only 16 have been on the list for more than 3 months. That's a quantitative indication of an ineffective abuse department.

For about the first half of 2008, Yahoo search was better than Google search.

Yahoo introduced specialized subengines - stocks, weather, movies, celebrities - which were triggered by matching queries. Each subengine had a special case for that class of information. Yahoo had about fifty such subengines.

Nobody noticed. Yahoo's market share didn't move. I only knew about this because I went to a talk by the head of Yahoo R&D at the time.

Bing's strategy seems to be mostly to follow Google. Google put Google Places into web search (a big mistake, because Places is so easy to spam), and Bing followed within days.

This week, everybody from Techdirt to CNN is dumping on Google for their spam problem. Even Paul Krugman at the New York Times mentioned it. There's much blog talk of "human powered search" or "curated search" to stop the spam but the failure of Wikia Search, and the lack of interest in ChaCha, Swicki, and Rollyo, indicates that's a dead end. (Mahalo started as human-powered search and ended up as a content farm, which is a hint that "human powered" doesn't equate to "better". No complaints from search users about that, though.)

(Note: I have a position in this; I run SiteTruth. There, we try to find the business behind the web site, and rate that, using data from the SEC, BBB, D&B, and other hard data sources about businesses. This works well at eliminating spam. Too well for some sites; we get complaints about our hard-ass "when in doubt, rate it down" approach.)

For about the first half of 2008, Yahoo search was better than Google search.

Yahoo introduced specialized subengines - stocks, weather, movies, celebrities - which were triggered by matching queries. Each subengine had a special case for that class of information. Yahoo had about fifty such subengines.

Nobody noticed. Yahoo's market share didn't move. I only knew about this because I went to a talk by the head of Yahoo R&D at the time.

Bing's strategy seems to be mostly to follow Google. Google put Google Places into web search (a big mistake, because Places is so easy to spam), and Bing followed within days.

This week, everybody from Techdirt to CNN is dumping on Google for their spam problem. Even Paul Krugman at the New York Times mentioned it. There's much blog talk of "human powered search" or "curated search" to stop the spam but the failure of Wikia Search, and the lack of interest in ChaCha, Swicki, and Rollyo, indicates that's a dead end. (Mahalo started as human-powered search and ended up as a content farm, which is a hint that "human powered" doesn't equate to "better". No complaints from search users about that, though.)

(Note: I have a position in this; I run SiteTruth. There, we try to find the business behind the web site, and rate that, using data from the SEC, BBB, D&B, and other hard data sources about businesses. This works well at eliminating spam. Too well for some sites; we get complaints about our hard-ass "when in doubt, rate it down" approach.)

They really need to create a ranking system for logged in Google users so people can vote down spammy links.

Won't work. The spammy links come and go too fast. Mean lifetime of a phishing site is a few days. Since most are created automatically, dealing with the problem manually will always be struggling to catch up.

Take a look at our list of major domains being exploited by active phishing scams. That's from PhishTank data, which is updated manually. The list is ordered by how long the site has been on the list. At the top are the usual suspects, with phishing pages up for as long as a year. Towards the bottom, note that seven sites were added this week, and nineteen came off the list in the last week. That level of churn is about normal.

Note that this list is only for "major" sites, ones in Open Directory. Those are legit sites who've been abused by phishers. There are tens of thousands of purposed-built phishing sites on junk domains. Those used to churn really fast in the "domain tasting" days, but with that hole plugged, there's been a little improvement. Now the phishing sites buy hosting with stolen credit card numbers and operate the site until the credit card processing system detects fraud and the hosting service shuts the site down.

The problems with PayPal are well known. PayPal should be regulated as a bank in the US, so customers have recourse to banking regulators when PayPal is holding the customer's money against the customer's will.

Not that PayPal's competitors are better. WePay got press by putting a block of ice with money inside in front of the PayPal conference. But they have miserable customer terms, like PayPal:

• You may not transfer or assign any rights or obligations you have under this Agreement without WePay's prior written consent. WePay reserves the right to transfer or assign this Agreement or any right or obligation under this Agreement at any time. That's backwards, since they have your money, and you don't have their money.
• You agree that WePay, in its sole discretion, for any or no reason, and without penalty, may suspend or terminate your Account (or any part thereof) or your use of the WePay Services and remove and discard all or any part of your Account at any time. Discard your account? With your money in it? That's what they're saying. Banks have to immediately refund your money if they close your account.
• IN NO EVENT SHALL WEPAY, its EMPLOYEES OR SUPPLIERS BE LIABLE FOR LOST PROFITS OR ANY SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR IN CONNECTION WITH OUR WEBSITE, OUR SERVICES, OR THIS AGREEMENT (HOWEVER ARISING, INCLUDING NEGLIGENCE), UNLESS OTHERWISE REQUIRED BY LAW. Banks can't get away with that.
• WePay reserves the right to change, modify, add, or remove portions of this Agreement (each, a "change") at any time by posting notification to the WePay website or otherwise communicating the notification to you. That's out of line for a bank-like service.
• Any Claim between you and us shall be resolved, upon the election of either you or us, by binding arbitration. So you can't sue them. Banks have been in trouble for that, even for credit cards, where you owe them money. Remember, WePay is a depository institution - they hold your money. You never owe them money.

As for having a "brick and mortar" location, when I run WePay.com through SiteTruth, it reports the address of a house in San Jose. That's the address they gave the U.S. Securities and Exchange Commission as their place of business.

Looking at the list of "evil sites":

• Gamesfactoryinteractive.com - not in DNS, not in Whois. The article probably has the domain wrong.
• Games-digest.com - domain registered in Korea.
• Mariogamesplay.com - has Google ads
• Anywhere-games.com - has Google ads
• Galacticflashgames.com - On Google's "This site may harm your computer" list, yet it contains Google ads.
• Towerofdefense.com - hosted by HostGator

I ran them all through SiteTruth, which, unsurprisingly, can't find a legit business behind any of them and thus down-rates them as junk sites.

Google's business model requires dodgy advertisers. Google has created and funded a whole industry of AdWords arbitrage, encouraging web spam. That's a big part of their customer base. How often do you see a Fortune 1000 company in a Google ad?

In 2004 and 2005, Google sponsored the "Web Spam Squashing Summit" In 2006, Google turned to the dark side. They started sponsoring the Search Engine Strategies conference, the web spammer's convention. That's when "Don't be Evil" ended.

We track Google ads at SiteTruth, trying to find the business behind the ad. For about 36% of Google ads (by domain, not hits) not on search pages, there's no identifiable real-world business behind the ad. We call those "bottom-feeders". The "John Does" Google is suing fall into that category. If Google kicked off all those "John Doe" advertisers, they'd lose a third of their advertiser base.

Only if the company formally declares bankruptcy can they get out of their "lifetime warranty". See the Magnusson-Moss Warranty Act for general information about warranties. "Lifetime Warranty" has specific legal meaning in the US.

Second, where is "BFG Technologies, Inc."? That information isn't on the web site. (This is why anonymous web sites are bad, and why our SiteTruth system gives them a low rating.) But it can be found. Dun and Bradstreet gives us the information that they are in Illinois, and Illinois corporate records gives us this:

BFG TECHNOLOGIES, INC. File Number 62377402
Status ACTIVE
Entity Type CORPORATION
Type of Corp DOMESTIC BCA
Incorporation Date (Domestic) 08/27/2002 State ILLINOIS

• Agent Name: PHILLIP A HEWES, 550 WEST VAN BUREN ST STE 1450, CHICAGO IL 60607 (That's Fitzgerald & Hewes LLP, their lawyers.)
• President Name & Address: JOHN VOSICKY, 2530 S CHESAPEAKE, WESTCHESTER IL 60154
• Secretary Name & Address: PHILIP HEWES, 441 S ASHLAND AVENUE, LAGRANGE 60525

Forbes has background info on John J. Vosicky. He was the chief financial officer before he was CEO. He was also previously CFO of Comdisco, which went into bankruptcy in 2001.