Ad Networks Lay Path To Million-Strong Browser Botnet

jfruh writes "Every day, millions of computers run unvetted, sketchy code in the form of the JavaScript that ad networks send to publishers. Usually, that code just puts an advertiser's banner ad on a web page. But since ad networks and publishers almost never check the code for malicious properties, it can become an attack vector as well. A recent presentation at the Black Hat conference showed how ad networks could be used as unwitting middlemen to create huge, cheap botnets."

Disable JavaScript?

[zippo01]

Done.

Re:Disable JavaScript?

[Skapare]

I just block the ad networks.

Re:Disable JavaScript?

I just block the ad networks.

If you're a content provider and are concerned about ad blocking hitting your bottom line then you need to be in your ad provider's face about this shit or I don't wanna hear any bitching.

Re:Disable JavaScript?

Amen. I don't have a problem with supporting content makers and ads per se, but as long as they are an untrusted source and giant security hole, it's adblocker for me.

Re:Disable JavaScript?

[CheshireDragon]

adblock plus? done :/

Re:Disable JavaScript?

[FatLittleMonkey]

If you're a content provider and are concerned about ad blocking hitting your bottom line then you need to stop using ad networks and host your own ads or I don't wanna hear any bitching.

FTFY

It stuns me that media operators who have run their own in-house advertising divisions for their dead-tree versions for decades, suddenly act like one-man amateur blogs for their online versions, needing third-party-hosted ad networks.

Re:Disable JavaScript?

Unless you're using the next Firefox. Then you don't.

Re:Disable JavaScript?

[AlphaWolf_HK]

I think the reason for that is that they aren't just ads anymore - they're collecting intelligence on the visitors. It doesn't work as well when you host the ads on your own, you need a third party to be able to track what pages your visitors are navigating to when they navigate away from your own site (assuming of course the site they navigate to is within the ad provider's network) as the web browser isn't going to allow multiple domains to share information.

It's one thing to show sponsored messages to users, but it's even more profitable to find out what your users want. Self hosted ads aren't as good at the later.

Re: Disable JavaScript?

How do you disable Java or 3rd party ads on platforms like iPhone or iPad?

Re: Disable JavaScript?

Come on, don't be ridiculous.

If you've wasted your money on iJunk, being ripped off by online scammers is a minor irritation by comparison.

Re: Disable JavaScript?

[oPless]

Java isn't support on iDevices.

You must be confusing Java with Javascript. Which ... ... IS NOTHING TO DO WITH JAVA AT ALL.

Please hand in your geek pass to the DHS official and make your way to gitmo. Oh wait. They only do that for leakers...

Re: Disable JavaScript?

Java isn't support on iDevices.

You must be confusing Java with Javascript. Which ... ... IS NOTHING TO DO WITH JAVA AT ALL.

Please hand in your geek pass to the DHS official and make your way to gitmo. Oh wait. They only do that for leakers...

First they came for the leakers...

Re:Disable JavaScript?

[UltraZelda64]

1. Disable third-party cookies
2. Install Adblock Plus + Element Hiding Helper
3. Install NoScript
4. Install DoNotTrackMe
5. Turn on the worthless "Do Not Track" header, if only just to further get the point across.
6. Clear cookies if you previously went to sites before disabling them, because you've likely got some Facebook tracking garbage on your machine.

Done.

Re:Disable JavaScript?

[foniksonik]

There are three metrics for ads online. Impressions, clicks and conversions. Ad companies get paid for each at different rates.

The ads may read a cookie set previously or will set a cookie using an iframe. It has a beacon gif to log impressions. The destination reads the cookie using an iframe with same domain as prior. It also uses a beacon to log impressions.

The cookie tells the ad network: this user came from campaign id xxxxx. That cookie will also be read again on an order confirmation or any conversion success page (a thanks page for sign up or whatever).

So you have a beacon on the content site (payee) for impressions, a cookie set to track click throughs across domains via a 3rd party iframe and beacons on the destination (payer) to log click throughs and possibly conversions.

The beacons will send back a set of data including the campaign id, user agent info, time stamps, and anything needed by the contract which is provided by the payer, eg If its an affiliate program then the order subtotal (no tax or shipping) will be sent to log a commission. The user agent and and uid are used for analysis and segmentation to do things like a/b testing an offer (will a 5% or 10% discount work better - 5% is often good enough to drive traffic and 10% may not convert to higher sales).

Re: Disable JavaScript?

If you're going to pick on people, HAS not IS.

Re:Disable JavaScript?

A sandbox comes in handy, for browsing or everything related to temporary files/data.. just have a properly configured base os, then "opt-in" everything you need when running programs in your sandbox, when you've finished, "null" the sandbox, done. Such an environment is simply a fine addition to whatever os you use.

Re: Disable JavaScript?

Where you're from maybe... there are many countries with English as their language and they have different grammars. Welcome the the world wide web.

Re:Disable JavaScript?

[sjames]

And that is part of why people object to them (other trhan giving you cooties that is). No other medium has had the ability to automatically track people who read the ads and they have done fine. Some tracking for conversions can be done with discount codes or through the url in the ad.

I'll bet if the ad networks are held liable for malware they distribute, they'll suddenly be fine with those limitations.

No Script

For Firefox fans there is an add on called "no script" that prevents Javascript from running automatically. There should be an equivalent for Chrome folks too.

Re:No Script

For Firefox fans there is an add on called "no script" that prevents Javascript from running automatically. There should be an equivalent for Chrome folks too.

It's called NoScript.

And there's no "NoScript equivalent" for Chrome folks, sadly.

Re:No Script

[akeeneye]

The equivalent on Chrome is "NotScripts".

Re:No Script

[Bigbuzzman]

The equivalent on Chrome is "ScriptSafe".

Re:No Script

Did you actually read his link? ScriptSafe is not functionally equivalent to NoScript.

So......

is this that staticlib.net crap that's been making the rounds lately?

This is nothing new.

Been happening since the beginning of broadband.

Yep, that.

[intellitech]

Ghostery and Adblock FTW.

Re:Yep, that.

Did not previously know about Ghostery. Thanks for that one.

Re:Yep, that.

Ghostery and Adblock FTW.

You can't leave out NoScript. It's a trinity thing: NoScript, Adblock, and the holy Ghostery.

Re:Yep, that.

[Somebody+Is+Using+My]

Or Abine DoNotTrackMe, which I marginally prefer over Ghostery because the latter is run by the ad networks (of course, I'd prefer an OpenSource alternative...)

NoScript, Perspectives, Flashblock, BetterPrivacy and HTTPS Everywhere round out the package.

And occassionally PrefBar so I can change my browser UserAgent on the fly, just to mess with 'em...

Re:Yep, that.

Yeah, it's made by an ad company and uses the information it gathers to sell to the highest bidder. So thanks for that.

There is a discussion on Reddit where the CEO goes off on some guy for calling them out, it's priceless.

Re:Yep, that.

This does a better job than those by a longshot http://it.slashdot.org/comments.pl?sid=4034107&cid=44439245

Re:Yep, that.

[Flere+Imsaho]

Don't forget noscript. Very nice to have when you stumble across a compromised site directly serving malware.

Re:Yep, that.

[OdinOdin_]

What can Ghostery do that RequestPolicy can not ?

https://www.requestpolicy.com/

It Ghostery just targetted as abusers of 1x1 img pixel and tracking cookies ? As RequestPolicy seems to be a generic solution from any information not coming from the target website you are visiting.

calculations

I wonder what the cost of doing this would be compared to renting a super-computer time.

Huh?

[real-modo]

You mean there are other attack vectors, too?

Seems to be the main source of malware...

From what I've seen, it seems like ad networks are either the main form of malware vector, or at least close to it. It isn't true proof, but I have had no issues with infections when using AdBlock and an add-on blocker (even if it is Chrome's "click to play" item), but if I fire up a VM and go browsing without those utilities... all hell breaks loose. Antivirus utility? Yeah, right. Those are OK for maybe scanning an infected machine's HDD that is mounted on another box. However, rootkits, especially RAM based ones will still be a gotcha.

I see nothing good about ad servers. They are a vector for malware at worst, at best, are a constant source of behavioral tracking and monitoring. At best, they throw a few bucks a month at sites that use them.

I like the idea of a subscription clearinghouse and micropayments, but there are issues of privacy and anonymity to be worked out.

Somewhat scary

[mendax]

Well, it's scary enough to make me want to turn off Javascript (unless I'm running Firefox—and I'm not—and can't turn it off). But Javascript provides to web pages features and abilities that I'd rather like to keep. For example, I love AJAX and how it allows a sufficiently sophisticated browser to do something like what Google did with Gmail. When I first saw Gmail my jaw dropped. "WOW!" I knew then that the thick client's life was limited. But as things get more and more nasty I'm wondering if perhaps the thick clients are not a safer approach for some applications.

Re:Somewhat scary

[Splab]

Thats the reason why I use adblock, I only block the adnetworks, not the local site served stuff.

If site operators want me to view ads, then they bloody well can vet them and host them themselves.

Re:Somewhat scary

[Opportunist]

The problem is less that I need all the bells and whistles. The problem is more that a sizable portion of webpages simply doesn't work without its bells and whistles.

Re:Somewhat scary

[BenoitRen]

It's even worse than that. Basic navigation even breaks without JavaScript enabled.

Yesterday I tried visiting the websites of two electronic chain stores (owned by the same parent company) with JavaScript turned off. I couldn't get past their language selection page as the cookie that saves your selection is set by a JavaScript onclick handler!

Re:Somewhat scary

NoScript is your friend here. Only allow the visited site and their CDN.

This is why...

[klingers48]

...I blanket-block all ads. As much as I don't like ads, I'd tolerate them if they had the trust they need to _earn_ to run Javascript/Java/Flash content on my machine.

A whitelist of safe ad servers?

[ScottCooperDotNet]

You trust Oracle Java and Adobe Flash enough to run them on your machine?

Re:A whitelist of safe ad servers?

[sqrt(2)]

I have Java on my machine but it's not exposed to the web. Javascript is enabled on a site by site basis with the default setting being to deny all scripts. Usually sites will at least render well enough to read an article even if the layout is garbled. I can still get the content so that's good enough. None of their ad/tracking scripts get to run, ever. Sites like Slashdot get to run Javascript but right now I look and there are four domains on this page which have their scripts blocked: google-analytics.com, googleadservices.com, rpxnow.com, and doubleclick.com. Three of those are outright blacklisted across the entire internet in my browser.

I'm worried that one day they'll start running ad/tracking scripts from the same domain, then it'll become much harder to allow only some scripts on a page and deny malicious ones (I consider the activity of advertising to be malicious by its nature).

Flash gets to run, but I have a click to play plugin so flash objects don't run by default except on a few sites like Youtube.

Re:A whitelist of safe ad servers?

:/

Like hell they do

[WD]

If you care about security, you're running NoScript. And they do not run.

Re:Like hell they do

Exactly. Why would any sane individual "... run unvetted, sketchy code in the form of the JavaScript that ad networks send"?

Isn't that kind like letting random strangers into your house to do pretty much anything they feel like? Why would somebody do that?

Re:Like hell they do

[tgd]

If you care about security, you're running NoScript. And they do not run.

Why bother using the web, then? Most sites won't work with scripting disabled to any usable extent.

If you want to be safe from evil ad networks, just don't use the web. Problem solved.

But saying "just don't do it" in reference to things that the overwhelmingly vast majority of people need or want to do is not solving the problem, and is distracting to the need to actually solve the problem.

Re:Like hell they do

Apparently you haven't used noscript. You can (temporally) enable scripts from domains. The harmful/irritating/... scripts usually don't come from the site you wish to view but third parties. Enable what you need and enjoy the site. It is sometimes quite disconcerting how many unknown third party domains are listed...

Re:Like hell they do

For any given value of "most sites"?

I disagree.

Whilst of course YMMV, most sites I use run fine with NoScript and those that don't only require one or two (from lists of upto 20!) domains being whitelisted before it becomes usable.

Re:Like hell they do

Not just strangers.

Would you let someone in your house who is going to use any sales tactics they can to sell you something, all the while taking pictures of the inside of your house, using voice stress level meters on each answer you give them?

Same with ad networks. At best intrusive. At worst, a major security threat.

Re:Like hell they do

[tlhIngan]

Why bother using the web, then? Most sites won't work with scripting disabled to any usable extent.

If you want to be safe from evil ad networks, just don't use the web. Problem solved.

But saying "just don't do it" in reference to things that the overwhelmingly vast majority of people need or want to do is not solving the problem, and is distracting to the need to actually solve the problem.

Most javascript that aren't site related are third-party. So you can allow the site level javascript to run without allowing the evil infected (and most likely from Google*) javascript through.

If it wasn't for the craziness of some websites (eBay, Amazon, Google (and its properties - YouTube, etc), most news sites), you could get a pretty decent experience with enabling first-party only JavaScript. But most sites also seem to need stuff like jquery and the like.

It's why Flash or plugins is a bad idea over HTML5 - you cannot get the same amount of control through the plugin. Like how I can prevent my browser from loading up Google-owned DoubleClick javascript but only through an HTML web page. If the webpage has an embedded Flash object then that flash object can pull in javascript from anywhere, including blocked sites.

* - Remember, Google owns the vast majority of online ad networks out there, and from a branding perspective, you won't see something like "DoubleClick - a Google-owned company", So it would eventually be Google the one serving up the ads via one of their companies.

Re:Like hell they do

[Flere+Imsaho]

You teach NoScript which sites you allow scripts to run on, or use the "allow this time" option. It takes a few weeks for it to learn your trusted sites, but once you get in the habit of clicking "allow this time" for one-off visits, it becomes second nature. As is frequently the case, there's a trade-off between usability and security.

NoScript is invaluable when you access a site that's been compromised and is directly serving malware via scripts.

For sites you have allowed in NoScript, filter out marketing-scum-ware with Ghostery and AdBlock. Security is like an Ogre, it has layers. Defense in depth!

Uninformed

Nice to know BlackHat has finally caught up with 2007 when malvertising was publicly identified as an issue (see https://isc.sans.edu/diary/Malvertising/3727). Strange that people actually working in the anti-malvertising world have never heard of these researcher's work.

I guess we can ignore RiskIQ and Twitters purchase of Dasient. The tens of millions a year spent on prevent malvertising is clearly "nothing". The methods being used might not be as effective as some want, it isn't due to a lack of funding. After 42 years we still can't reliably stop malware.

Re:Uninformed

[Opportunist]

BlackHat ain't what it used to be...

Re:Uninformed

[NJRoadfan]

What surprises me is that it was publicly identified in 2007. It was a problem for years before that.

good thing

noscript

not necessarily "broken by design"

I don't really have much of a problem donating some of my resources to a free web worker pool, as long as it doesn't adversely impact my own use. Some people already do this with various online distributed computing platforms.

As far as "servers being attacked" and "cracking passwords" goes, I think web security is important and will continue to become more so. I guess this might raise costs, but its money well spent if it makes the internet a more secure, robust, free, and useful tool in the long run.

And they're wondering...

[Opportunist]

...why we use adblock and noscript, whining that we deprave them of income.

It's not that your ads are obnoxious, albeit even that alone would suffice as a reason. They're dangerous to us.

Re:And they're wondering...

I use Adblock Plus, No Script and Ghostery. I also look at it this way. When the ad companies start paying for using a portion of my bandwidth... well, that'll never happen.

Re:And they're wondering...

[Neil+Boekend]

They pay for the use you have of the sites. Do you really think Google's servers run on unicorn farts?
Do you pay Google for the electricity for their servers? And their bandwith?

Separate from that crappy scrips are not required to display an ad. Noscript is necessary and sufficient to prevent what the article is talking about.
Adblock isn't required and could be considered theft. If you don't want the site owner to be paid for the service he provides you then you can always choose not to use that site. Using the site but preventing them from getting paid is dodgy at best IMHO.

Re:And they're wondering...

[HybridST]

For now adblock and noscript work well enough. What about after the other side develops NoBlock and AdScript?

Re:And they're wondering...

[JazzLad]

Do you ever go to the bathroom during the commercials of a TV show? Because, you know, that's dodgy at best & could be considered theft.

Re:And they're wondering...

Go to hell, I'll paste a past post of mine because I'm tired of giving your type the glory of a response.

-------

I'm a developer who writes free "apps". The developers who think that their website, program, or whatever is a privilege and deserves to advert the hell out of people for viewing it are the real ignorant ones. Add a donation link, if you don't like that route then remove your website or program from the internet while users find a better alternative not written by arrogant people. I prefer you didn't use stupid generalizations and say that all free programs earn money by tracking/ads. The programs written by shortsighted people are like that, perhaps.

Your website or program is not an awesome epitome of software. It's a tool that people may or may not use depending on their whims. If you don't want people using your stuff for free, don't make it free in the first place.

Re:And they're wondering...

[John+Bokma]

The people who have a bathroom break during each and every TV commercial are non-existent. The people who read each and every ad on each and every web page are non-existent.

Re:And they're wondering...

What about the poor advertisers. If they are paying per impression and i have no intention of buying the product it seems like theft to make they pay for a potential sale they will never see. If they are paying per click then since I'm not going to ever click an ad except by accident it seems like theft to make the advertises pay for my mis-click, and if i don't click the ad at all then its pointless to see the ad since no one has lost money.

Re:And they're wondering...

[JazzLad]

So where is the line in the sand? It's ok to mute commercials and go get a bite to eat, but using a DVR to skip is stealing? Skipping w/ DVR is no different than adblock.

Re:And they're wondering...

[John+Bokma]

Yes, I think it's OK to go to the bathroom during commercials, or prepare some food for the same reason I think it's OK to turn a page and not read an ad or not scroll all the way down to read all ads on a web page.

Where to draw the line? No matter were it's drawn there will be always people who consider it their right to block each and every ad. Like there are people who think it's OK to have a dog barking the whole day in their backyard while they are at work, etc.

Re:And they're wondering...

Dude, you got issues if you think blocking ads is the same as a dog barking outside all day ... my guess is you've got a crappy webpage with declining ad revenue.

Re:And they're wondering...

[Neil+Boekend]

You choose to give your work away for free. Good choice.
But it is your choice, since it's your work. Not everyone feels like that. Some choose to ask money directly for their work, some choose to display advertising to pay for their work. That's also the choice of the creator.
If you don't want to pay for the work with advertising then you can simply not use it. There are plenty of websites that I don't use because I dislike the amount of adds they display. Their loss, because that does limit the income from adds.
But blocking the adds and using the work anyway is dodgy at best IMHO. We don't have to agree on that, you can feel different. I won't hate you for it.

Soo

Massive class action?

The author is lying

[SpicyBrownMustard]

I've worked with several ad networks, on a number of issues, and can say with absolute confidence that the author has no concept of how the technology actually works, which results in an outright lie in his thread-starter.

The JavaScript code originates with the ad delivery platform (DoubleClick, OpenX, 24/7, etc.), sometimes outsourced to the ad networks -- DoubleClick is a white label delivery platform for many ad networks. The JavaScript is tightly controlled and constantly subject to real-time auditing by several providers such as The Media Trust. The advertisers simply provide the assets -- the banner creative -- that is delivered by the ad network, optimization systems, and ad delivery platforms.

Currently, yes, it all sucks and is why we have had blockers, but is also the only option to monetize free content -- for now.

Re:The author is lying

[mrbester]

Audited by whom? Not developers with any care or consideration to best practises and standards. Or are you seriously suggesting that document.write and blocking code is just fine?

Re:The author is lying

[gishzida]

From your comment I'd say you have no clue how the ad networks are being used as a malware delivery system and since any number of the readers here have already attested "mouse over" attacks do exist....What I am hearing you say the ad networks have done absolutely nothing to prevent their networks being used as an attack vector... say something like vetting the URLs provided for the "banners"... I can tell you that at least 6 years ago I had a "mouse over" attack from a banner served on TheRegister.co.uk... talk about biting the hand that feeds IT!

On the other hand since installing ad block plus and NoScript on the systems on my network I have not had one single pop-up malware attack or other browser related malware / trapdoor / ransomware infection... Script blocking add-ons seem to be the only protection against the ad networks failure to keep virus free advertizing.

Re:The author is lying

[Dynamoo]

The assertion that ad networks do not check code is certainly untrue overall. But some networks check code more closely than others, and the bad guys use all sorts of techniques to evade detection (geotargetting, for example, or changing the behaviour of the ad when it is being examined on the ad network's own IP range). The lengths some bad actors go to are impressive, and be in no doubt that there is a state of war between most ad networks and the bad guys.

However, it is true that certain ad networks do very minimal checking or even seem to be in league with malware pushers. But publishers soon drop ad networks like this and they end up being relegated to the scummy tier of publishers only.

Oh.. it's hardly new anyway. Here's a report from 2004.

Re:The author is lying

[zwei2stein]

The only option?

Hardly.

You can accept donations. You can have freemiums. You can offer merchandise.

Re:The author is lying

BULLSHIT.

1. There is no such thing as "free content" with ads. When it has ads, IT IS NOT FREE ANYMORE. It costs the most valuable thing I have: The freedom to think my own thoughts! You should read up on "mirror neurons" (the ability to put yourself in the shoes of others) and how the primitive parts of the brain can't tell the difference between imagination (like ads) and reality. But working in advertisement, you must already know that, and use the other thing everybody in advertisement is an expert in: Lying.

2. If your website got something of *actual value* (=not abundantly available for free everywhere else), then you can *always* do the same thing every other *service-based business (model)* is doing: You ask a fair price for it in *advance*. If the only way to "monetize" your site is via advertising, then you have to face the fact that YOUR HAVE NOTHING OF ANY WORTH TO OFFER WHATSOEVER! In that case, please just go bankrupt, and quit ripping us off with your meaningless worthless shit. And most of all: Quit bitching about it!

Re:The author is lying

[RabidReindeer]

BULLSHIT.

1. There is no such thing as "free content" with ads. When it has ads, IT IS NOT FREE ANYMORE. It costs the most valuable thing I have: The freedom to think my own thoughts! You should read up on "mirror neurons" (the ability to put yourself in the shoes of others) and how the primitive parts of the brain can't tell the difference between imagination (like ads) and reality. But working in advertisement, you must already know that, and use the other thing everybody in advertisement is an expert in: Lying.

2. If your website got something of *actual value* (=not abundantly available for free everywhere else), then you can *always* do the same thing every other *service-based business (model)* is doing: You ask a fair price for it in *advance*. If the only way to "monetize" your site is via advertising, then you have to face the fact that YOUR HAVE NOTHING OF ANY WORTH TO OFFER WHATSOEVER! In that case, please just go bankrupt, and quit ripping us off with your meaningless worthless shit. And most of all: Quit bitching about it!

Get over yourself. This is the 21st Century. Lower Prices Every Day. Information wants to be Free.

Unless you have a very vertical product where you have limited competition, people are not going to pay to visit your site. You local ISPs and utility companies haven't got the memo yet, so they still expect to get paid, and they do have limited competition. Ergo, ads.

Re:The author is lying

f-f-f-faggot

Re:The author is lying

but is also the only option to monetize free content

Aside from this being a flat out lie (tip jar, anyone?), it misses the point. You either want to give content away free or you want to make money. If the latter, put your damn content behind a paywall -- or are you worried that it isn't good enough to attract customers?

I don't have a problem with web site owners offering their own stuff for sale, but the third-party stuff is insulting.

Re:The author is lying

Unless you have a very vertical product where you have limited competition, people are not going to pay to visit your site.

So you have to ask yourself, punk, is your web site really worth anything to the world at all? If not, do the world a favor and shut it down. If you're just running the web site for ego boost, then suck it down and pay for it out of your own pocket.

Re:The author is lying

The INFORMATION *is* free. It is the SERVICE (as in ACTUAL WORK) that is *not* free.

And what the hell is a "vertical product"? A prostitute that stands up, while fucking you?
That whole paragraph made no sense at all.
If I am the only one on the net, who offers to do $workX, which nobody else can do, then either you pay to get to my site, or you don't get it*. If I am not, and somebody else can do $workX for *free*, then *by definition* it is worthless, and I have no right to even ask anybody to watch ads for it. Simple as that.

___
(* Again, for the brainwashed: "it" = WORK. Not information! The distribution of information cannot be controlled anyway, and doing so, is a crime in my book.)

They Finally Notice.

[John+Sokol]

We were using java, flash and javascript to do this sort of stuff as early back as 1996.
Massive DDOS attacks were generated this way.
Even played around with Distributed computing all from banners place on various web sites.
We were able to run stuff in browsers that was next to impossible to remove.
And with browsers restoring all the windows most common users would never figure out how to kill these things.

Re:They Finally Notice.

It's 2013. You're allowed to put more than one sentence in a line now.

We have Adsafe & Caja for that

It's a solved problem, really.

Good thing Firefox makes javascript obligatory

Damn good thing that Firefox 23 makes javascript obligatory:

http://news.slashdot.org/story/13/07/01/1547212/firefox-23-makes-javascript-obligatory

Re:Good thing Firefox makes javascript obligatory

[Neil+Boekend]

Blanked disabling Javascript means large portions of the internet become useless, so NoScript is a better solution IMHO anyway.

Question from the less tech-y

[Camael]

From TFA:-

“Basically, when a web browser goes to a page, that page can force the browser to do whatever it wants – make web connections, download illegal files, attack other Internet sites, make illegal searchers – whatever,” Grossman told me in an interview last week.

Assuming you're using the latest Firefox with Adblock and Noscript, how true is that claim?

Would it, for example, stop the ad network attack vector mentioned in TFA?

I used to assume running Noscript is sufficient protection, but with all the news of exploits floating around, I'm no longer sure.

Ignorant masses

All of you who are so smart, that you will not be part of the botnet, you do not matter. You are an insignificant amount of people compared to the ignorant masses, that the botnet exploits.

Good luck with that.

Adblock, noscript, flashblock, giant hosts file.

And you guys wonder why everyone hates you... You're a bunch of annoying amoral lying assholes.

/. - JavaScript?

Can ./ finally stop requiring JavaScript, then? I don't want to hear about xyzblock -- they don't work for me. I don't enable Java or Flash either.

Re:/. - JavaScript?

[jones_supa]

The old non-JS discussion system is still there. To enable it, follow these steps:

- Click your user name at the top of the page
- From the pop-up menu, click on Account
- From the pop-up dialog's top bar, click Discussions
- Select the Classic Discussion System (D1) radio button
- Click the Save button

Was this answer helpful: yes or no? Would you also like to send all information from your computer to assist us in improving the performance and responsiveness of our product?

Eeep

NoScript
http://noscript.net/

orealy

Film.
At.
Eleven.

It's been 20 years wth

[Impy+the+Impiuos+Imp]

Why don't they fix javascript, limit it to a handful of requests so it can download its data but not spam requests in a loop? Disable its popup ability, too. I have never needed it, and if I did, I'd be happy to click an open window approve box.

Paper trail

[morgauxo]

Unless they are paying for their ads using anonymized Bitcoins couldn't the ad company be served a warrant and the perpetrator found through the payment records?

Re:Paper trail

Yeah, 'cuz there's no way they's use a stolen payment method.

Some Porn sites probably do it in the main pages

I'd be Shocked, yes Shocked to hear that some of the free Porn sites do this kind of "using your computer in the background from a supposedly idle web page".

It is the perfect target audience: People go to the sites, linger on the pages longer than random readers, and don't like to admit they went there (so it helps hide any such usage. Also completely immune to anti-virus protection, vs. say exploiting the machine.

Custom hosts files do a BETTER job

Since they do more with less (a single file) & at a faster level of privelege (ring 0/rpl0/kernelmode) than browser addons (that slow up already slower ring 3/rpl 3/usermode browsers) by acting as a filter for the IP stack itself (written in C language & starts with the OS + 1st request to the internet, with over 45++ yrs.of optimization refinement put into it) - how do I gather, sort, deduplicate, normalize, & filter them? Easy:

---

APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74

---

Using that app by "yours truly"? So can you!

(More specific details of its operation & what it does for you are in that link (which if you're like me, that site *may* just "interest you", since it features & hosts 64-bit wares galore since that's the "wave of the future" & not just for Windows users either mind you...)).

* It also does FAR more than AdBlock ("souled-out" to GOOGLE, & crippled by default) or Ghostery (Advertiser owned) do, by FAR - especially considering they're "Foxes guarding the henhouse" now.

APK

P.S.=> Custom hosts files give users of them great benefits in added speed (blocking adbanners & hardcoding your favorite sites into them - faster than remote DNS lookups), added security (vs. known malicious sites/serves/hosts-domains that serve up malware or are malscript bearing), added reliability (vs. Kaminsky bug vulnerable DNS servers, 99% of which are STILL unpatched vs. it & worst of all @ the ISP level), & even added anonymity to an extent (vs. dns request logs + DNSBL's you may not like too)...

... apk

Agreed, DoNotTrackMe is better.

[Burz]

Its independent and doesn't slow my browser down like Ghostery does. The latter isn't really written with users in mind... its primary purpose is to give the ad industry a 'self-compliance' fig leaf.

On the facebook stuff

You're right - & I work around that easily, so can you, as follows (since it's not visible usually like for instance, adbanners are - sneaky, Sneaky, SNEAKY lol!)!

Start by surfing around as normal to sites you like/go to usually (or not), & using a tool called "network latency view" http://www.nirsoft.net/utils/network_latency_view.html

(Which is really just for doing this but it works for this purpose also)

That program shows me those trackers that AREN'T immediately apparent operating 'behind the scenes'.

Then, I just pop them into my custom hosts file like so:

E.G. -> 0.0.0.0 edge-star-shv-03-ash5.facebook.com

And voila: They're NOT going to connect to squat on my system locally, or work @ all, period.

APK

P.S.=> It works (it's pretty underhanded shit imo too, & pissed me off some when I discovered it a few years back) & of course? So does this by "your truly" (yes, shameless plug):

APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74

Does a hell of a LOT more for you in added speed, security, reliability, & even anonymity to a degree -> http://it.slashdot.org/comments.pl?sid=4034107&cid=44439245 than AdBlock ("souled-out" to GOOGLE, doesn't block all ads anymore by default) &/or Ghostery (owned by advertisers & thus imo is a "fox guarding the henhouse") do.

NoScript rocks for FF users - but, I use Opera 12.16 64-bit here & disable cookies/plugins/javascript/frames-iframes BY DEFAULT globally for all sites - when I need any of those, I do an "exception" site, allowing for them (sometimes you have to for full function, usually ecommerce related or db access type stuff as you probably know).

"Always more than 1 way to skin a cat"

... apk

LOL

Microsoft sure is getting desperate. Too bad nobody wants your Surface hardware, either.