Ask Slashdot: Are AdBlock's Days Numbered?

An anonymous reader writes "This article discusses the ethics and the mechanics of ad-blocking software. Toward the end, it goes into some of the tech that's been built to circumvent ad blockers. Quoting: 'PageFair offers a free JavaScript program that, when inserted into a Web page, monitors ad blocking activity. CEO Sean Blanchfield says he developed the monitoring tool after he noticed a problem on his own multiplayer gaming site. PageFair collects statistics on ad blocking activity, identifies which users are blocking ads and can display an appeal to users to add the publisher's website to their ad-blocking tool's personal whitelist. But Blanchfield acknowledges that the user appeal approach hasn't been very effective. ClarityRay takes a more active role. Like PageFair, it provides a tool that lets publishers monitor blocking activity to show them that they have a problem — and then sells them a remedy. ClarityRay offers a service that CEO Ido Yablonka says fools ad blockers into allowing ads through. "Ad blockers try to make a distinction between content elements and advertorial elements. We make that distinction impossible," he says.' Is this arms race winnable? By which side?"

NoScript

[dos1]

Beat that, suckers.

Re:NoScript

...and suddenly the pages stop working altogether. It is trivial to make a page that is empty and use JavaScript to load the contents of the page. If these guys resort to AdBlock-detectors, why do you think they would allow NoScript to circumvent that?

Re:NoScript

Then it's a bad site not worth your time.

Re:NoScript

[Xicor]

the problem is that we are seeing an increase in sites that will pop up with a separate page and wont let you see ANY content until you stop using an adblocker. luckily those are mostly used on bad sites, but if they ever become popular it will be a problem.

Re:NoScript

[Jah-Wren+Ryel]

JavaScript performance on mobile is terrible - like 10x slower than desktop. If you make your website dependent on javascript, prepare to lose a lot of mobile customers who won't have the patience to wait it out.

Re:NoScript

[iggymanz]

but there are ad filters that start to do the load but don't display. I'm betting the geek developer will always win against marketing droids

Re:NoScript

Fine with me.
I'll just use a different website.

Re:NoScript

[ne0n]

It's likewise trivial to avoid shitty sites that go far out of their way to degrade the user experience, and thanks to the internet's intrinsic nature there's nothing unique on an ad-monger's site that can't be found elsewhere. NoScript helps to build that list of shitty sites. Let the parasites starve FFS.

Re:NoScript

[khasim]

And when a site doesn't work correctly with javascript disabled?

Then YOU get to ask YOURSELF whether YOU want to take the risk of running THEIR scripts on YOUR system in order to read/watch THEIR content.

Individual preferences will, of course, vary. But I've found that the sites that run scripts usually don't have much content worth my time.

As for ads ... if they weren't so abused in the first place (pop-ups, pop-unders, flashing, auto-run-sound, slowing-down-the-entire-page, redirect-on-close, etc) then there wouldn't be such a large movement to block them.

Ads today are not as much about selling a product as tracking where you go and what you click on. The products advertised bear no relationship to the site I've visited.

Re:NoScript

[johanw]

More subtle than Noscript: Ghostery.

Re:NoScript

[hairyfeet]

What I want to know is this....are the website operators going to take responsibility and pay for the damages the malware carried in their precious ads cause? No? Then please DIAF you greedy little self centered shits, your "business model" is a blight upon the planet and needs to die!

Do you guys have ANY idea what happens when you take the average Windows PC and block 100% of the ads? Or block them on an *Android phone or tablet? Honestly you might as well not even have AV as its never gonna get anything to attack, infections drop right of the map. Leave their precious POS business model intact? Say hello to a PC that has more nasties than a Bangkok Whore on Sunday morning after shore leave as infected ads are the #1 source for zero days, drive bys, and social engineering and these greedy little piggies want the profits but they want to take ZERO responsibility for the messes their profits make.

So sincerely, from the bottom of my heart...go fuck yourselves website owners. Do you guys have any idea how fucking TRIVIAL it is to make ads that waltz right pass the ad blockers? 1.- Make ads first party (so they have to actually wake the fuck up and see what they are shoveling), 2.- Make them text or basic images like JPG or GIF (but then they couldn't hijack your speakers and blow your ears off, what fun is that?) and NO FLASH ADS because flash zero days are one of the biggest attack vectors out there (but then they couldn't get "teh big bux" for having the most annoying Goatse of ads spewed on their pages)

So do what old Hairy does, when a site "appeals to turn off your blocker" I head straight to their forums and ask them right out "Are you gonna take financial responsibility when one of your ads infects one of my customers?" and then point out how trivial it is to bypass the blockers with non-threatening content. You'd be surprised how many people don't know that those pieces of malware they "just keep getting somehow" are coming from assholes like in TFA and spreading the word is required to bring this to a head. They are making profits from a risky business, they should have to assume the downsides as well as the profits and clean up their own messes.

*.-The Googleits can piss and moan like the Cult of Jobs how "But but but...those don't count!" but from my seat at the shop the #1 source of Android malware? Social engineering, tricking the user into installing that .APK from an unknown source and taking control of the system...where are they seeing the social engineering instructions that take them to the website and show them how to bypass the appstore? The same place Windows users are getting social engineering, through ads.

Re:NoScript

[Threni]

Why do so many mobile sites popup a dialog which is mostly off the right of the screen, and where, when you zoom in to try and find where they've hidden the non-standard, non-intuitive 'close' icon, it moves further offscreen? How am I supposed to remove the popup (which is covering a lot of the content, and making the screen dark to 'highlight' its importance)? 2014 - it's hard to deal with small screens? How? How is it hard? How did you get a job writing websites when they're so fucking sucky?

Re:NoScript

[jedidiah]

You're the one living in some sort of out of touch fantasy.

I care about security and safety. Also as a side effect, I get often get better performance. I don't care about "sticking it to the man". I am just trying to prevent the man from infecting me when he tries to "stick it in me".

The crap on some pages is just beyond belief. A pile of crud turning a 2014 broadband connection into a 1994 dialup connection.

Re:NoScript

[MightyYar]

The hilarious thing about many of those sites is that the "block" is just a layer in front of the actual content. Firefox's built-in "inspect element" is usually enough to remove it and get to the content.

Re:NoScript

[Kvasio]

What bullshit. It's fucking 2014. If you want to roam the web in your happy Mosaic-1.0-land then go ahead.

I use gopher, you insensitive clod!

Re:NoScript

[0p7imu5_P2im3]

"Amen! Preach on ma' brotha'!"

Seriously, though. That is exactly why I installed an ad-blocker. I specifically allow sites I visit in order to live up to that philosophy, but I have yet to see a single site since 1999 that hosts 100% of its own advertising. I actually enjoy seeing in house ads for exactly this reason, even if the site reviews the product it is advertising, because it shows that they give a care about their users/readers.

Re:NoScript

[taustin]

A web page that is blank with JavaScript turned off is equally devoid of content with it turned on, even if you can technically see words and pictures.

If you want me to look at (and ignore) your ads, make them less offensive, and do some testing to ensure they don't make the page literally unreadable.

Re:NoScript

[causality]

Then YOU get to ask YOURSELF whether YOU want to take the risk of running THEIR scripts on YOUR system in order to read/watch THEIR content.

Of course Javascript is limited to accessing THEIR content. Anything else on YOUR system is out of reach of Javascript.

But I've found that the sites that run scripts usually don't have much content worth my time.

Then you aren't using much in the way of Web 2.0 sites. Most of the interactive web-sites since Google Maps are unavailable to you. Hope you like the 1990s.

I'm all for blocking ads. But disabling Javascript altogether is throwing out the baby with the bath water.

The point of NoScript is not do disable Javascript alltogether. The standard browser settings include a checkbox to disable Javascript entirely for all sites. That isn't what the add-on NoScript is for. NoScript is there to selectively disable the scripts that you decide are unnecessary.

I wish people who actively choose to comment on a thing would take a moment to acquire the most basic familiarity with that thing. It would lead to far fewer redundant posts and far fewer posters who are convinced they've pointed out the "obvious flaw" that no one else was smart enough to ever think of...

Re:NoScript

[swilver]

Slashdot works with Javascript disabled.

Your turn.

Re:NoScript

[Mister+Transistor]

I absolutely hate that shit, you go to a site and it renders, then goes dark because some fucking scrip takes over and tries to force some card on me or some shit. Fuck them. Big time. I see that shit, I'm outta there. Period.

Re:NoScript

[DJ+Particle]

And even ads supplied by Yahoo and Google aren't immune. Those are the two most reputable ad suppliers, and both have been known to occasionally shove out malware-laden ads. Until I can get a 100% guarantee against ad-based malware, AdBlock+ stays running.

Re:NoScript

[cas2000]

you're making things too hard for yourself.

the correct way to render a page is however the user wants it rendered at that moment in time. this may vary based on the device they're using, the time of day, how tired their eyes are, arbitrary whim, and thousands of other factors - almost none of which can be anticipated or predicted by you.

amongst other things, that means web sites should emit just plain xhtml with simple css and don't do any fucking with the DOM with javascript. if the client's renderer is broken, then it's their problem, not yours. don't try to fix it or work around it with js or stupid hacks - it's just fucking broken and will never get fixed as long as people like you keep making work-arounds.

and nobody ever wants a mobile app. no user does, anyway. it's arsehole companies and marketing vermin who want users to be running their own special purpose spyware app rather than just visit a web site.

Prior art

[Hatta]

Slashdot already makes distinction between content elements and advertorial elements impossible.

Different Servers Make It Possible

[ScottCooperDotNet]

"Ad blockers try to make a distinction between content elements and advertorial elements. We make that distinction impossible,"

So long as you're hosting your ads off-site, or even on a local (ad.example.com) server, we'll be able to block them.

Stop infecting me..

[Dynamoo]

Dear advertising networks,

Stop trying to infect me with malware and perhaps I'll stop blocking you from my browser.

Own your own adds

[Sir_Sri]

If you want an add to appear on your page take ownership of it. Host it as an image file on your own website that you control and you are responsible for.

Anything else, we intend to find ways to block it, because we have learned the hard way that you cannot trust advertisers to not infect your system with malware (not always intentionally, but lets face it, that's a big source of failure).

Re:Own your own adds

[istartedi]

This. We may find that the current online advertising model is like the Soviet revolution. If the hosting site and the ad scripts start working in concert, it might be like a crackdown by hardliners. Unlike a totalitarian regime, migration from your site is usually not that difficult. You'll lose the users. Maybe then commercial sites will realize that they have to go back to something more like the old print media model. You couldn't just blindly turn over newspaper pages to 3rd parties. Advertisers had to trust things like circulation figures and demographics. It was a far less sophisticated analytic. Publishers will have to be trustworthy enough for advertisers to trust *publisher* analytics. If the New York Times really wanted to be innovative, they are the kind of company that could do this. That, along with getting rid of user registration would really shake up the industry. I think it'd be a clear winner as long as the publisher didn't do the same kind of scripted nasties that ad networks currently do.

Wouldn't you love to be able to browse a high quality site, knowing that the ads aren't going to ass-rape your system? Aside from that, wouldn't it be nice to look at page archives 30 years from now and see period ads. You can look at magazines from 100 years ago and get insights into the culture, and develop an appreciation for the history of strong brands like Coca Cola, or oddities like patent medicines with radium in them. Future historians will look at the last 20 years as if the tape of our commercial activities had been erased.

zero tolerance and who owns my computer

I own my computer. I've been convincing every of my friends and family members to adopt a zero tolerance policy toward internet advertizing, partly as it's a huge security risk as seen in all recent stories about malware delivered with ads, and partly to opt out of "big data" collector activities.

Advertizers don't get it. My computer runs what I want it to, not what THEY want it to. They may make polite requests to display things, or to run things, which I can either say yes or no to.

The internet existed for decades before advertizers discovered it, and it'll be just fine - better even! - after they depart. Maybe we'll go back to its roots of crowdsourced content, rather than "big corporate content".

Annoying

[afgun]

If so many ads weren't obnoxious flash or javascript and simply a hyperlinked picture/text, then I wouldn't feel compelled to block them. But these so-called ads are largely intrusive and annoying and make the web browsing experience suck. Just like email and spam that have tracking linked images in them that I choose to automatically round file instead of at least checking out the content. Make the experience pleasant and controllable by me and I'll play along; otherwise, I take control with tools like adblock.

Simple solution

[Goose+In+Orbit]

Host your own ads - make them unobtrusive - people will still see them AND the content.

Being lazy and outsourcing it to others... you get what you deserve.

If the ads win, I drop the site

[RichMan]

The people that are using ad-blockers are stating "I am annoyed by adds". These people seem to think it is a good idea to show the people that have flagged themselves as getting annoyed by ads more ads. That seems really really dumb.

These people should be careful what they wish for. There are many, many sites out there for people to browse on. Annoy a "customer" to much and it is very easy for them to go elsewhere.

rethink the ads you're serving

[rlwhite]

If I see banner ads or anything else obnoxious, and I can't keep them blocked and still use the site, I'll find what I want elsewhere.

I'm ok with the text-based ads Google is known for, and I'll even click on them when they're relevant to what I'm looking for... because they're not obnoxious! They aim to be helpful!

Here's a radical idea...

[jheath314]

If people are blocking your ads, it's probably because they're not interested in seeing the god damn ads. Sneaking past the ad blocker won't result in me going "gee, you got me, I'll be good and click on your ad now." More likely it will piss me off to the point where I stop visiting your site.

Stupid marketers and their "arms race" mentality was what resulted in people developing and using adblock and noscript in the first place. "What do you mean people still aren't clicking on our ads? It's got a dancing monkey with a flashing background and it occupies half the browser window! Fine, we'll make it play music too, and pop up fifty windows... maybe THEN they'll realize the error of their ways and click on it."

Haha! Suckers-- I'm using Mosiac!

[sandbagger]

Text view is the only thing that renders, mind you.

In single column. I scroll a lot.

Unsolicited audio

And no goddamn auto-playing sounds either.

Adblock is also a safety measure.

[DittoBox]

AdBlock is something I've started installing for friends and family more as a way to block malware, than as a way to block ads outright. Poisoned ads (malvertising) account for a lot of malware installs. Just Google for iTunes or Firefox and the top ad results are malware infected installers.

Besides the incredible annoyance of ads in the slow downs they cause, they're also a dangerous pathway to malware and viruses. Common methods like embedding an iframe into a page that loads a script that targets a browser exploit to install something nasty (drive-by downloads), oneclick exploits, baiting users to download things, etc.

Ad networks—at least the slimy ones—don't care because they're getting paid.

On no longer using Ad Block

[onyxruby]

I'll consider abandoning Ad Block when a decade after ads are no longer the leading cause of malware. Until then I consider it a security requirement along with noscript.

Re:HOSTS file

[Penguinisto]

Damnit - do NOT invoke that bastard!

What's missing from the discussion

[barakn]

I'd warrant (but don't have the statistics to back me up) that the typical ad-block user would be less prone to click on ads if forced to see them than a typical surfer. I don't see why these crybaby advertisers are so desperate to reach a market that would have low click-through rates. The advertisers win by not needing the extra bandwidth necessary to serve up ads to people that wouldn't click on them anyways.

The wrong question is being asked....

[Bomarc]

Several times, in several different ways I found the question asked ... is it ethical to block ad's. My response: You are asking the wrong question: Is it ethical to track me without my permission? Is it ethical in inject mal-ware into my system? Is it ethical to not allow me access to information you claim is about me? Is it ethical to make money on my actions -- without a reward for me?

Stop messing with MY system, and I'll stop messing with your ad's.

Re:Flashblock is my middle ground

[Cramer]

They ALL have low CPM. And the more obnoxious and intrusive the ad, the more you're pushing people to ad blockers. (or simply abandoning your site) With the ever increasing greed from ISPs in the form of bandwidth limits and heavy overage fees, **I** don't want to be paying the per-byte costs of completely USELESS content. Go use the internet over dialup for just an hour and tell me how much you like all the bull**** ads, or the overabundance of enormous javascript libraries.

Re:Flashblock is my middle ground

[EdIII]

I don't have a problem with javascript, as I do make stuff with it. Done right, you don't have as much impact on the bandwidth as you think. If you have megs of javascript libraries being referenced from external CDN's, you're doing it wrong.

It's going to go down that road anyways till the end. Web browsers have ceased being about document markup and rendering, which is how it started, to running external code in complicated sand boxes. You can't put that genie back in the bottle.

The issue is being able to trust that javascript, which is really about trusting the sandboxes to not allow malicious code to be run. Tracking is a problem of course, but that is mitigated by blocking software that stops those specific scripts and domains from working. Once a Big Data company like that gets big enough, they'll just get shut down by the blockers, which is a very good thing. It protects our privacy as well as our computers.

If you don't want javascript and external code libraries you're only other option is to have a single universal API developed that ALL browsers adhere strictly to. Blocking tracking software is simple as a permissions setting at that point to not listen to any tracking tags or events set up in the page. AJAX type events would need to be classified accordingly and secured. An event going toward a different domain than the page? Blocked by permissions. Image not from the domain? Don't even download it based on permissions. CDN's should be registered in the browser as an alternative for any file that needs to be downloaded for a "page".

Above all, that API should have plentiful RBL's that outright disable all external calls. We want accountability? How about within an hour of malware being downloaded those RBL's are proactive like some email services and browsers start blocking that particular site or CDN automatically? That would make propagation of malware a real bitch in production. Not to mention if you are a big outfit and that happens people will start getting fired till it's fixed. I've been in a major company that got their email shut down by Cisco IronPort (Over half the vendors they dealt with were rejecting mail). Some yahoo in the data center thought it would be cool to run his own little server which got hacked and delivered out 9 tons of spam that shut down corporate email for 4 days till IronPort finally cleared it up.

Can you even imagine what would happen if one of those RBL systems blocked Yahoo by default a week or two ago? Shit storm indeed, but a needed one.

We don't have any of that.

What we *do* have is a clusterfuck of technology that developed from an interesting idea to effectively share a word processing screen at universities that is fundamentally toxic to us. We spend billions cleaning it, defending it, and developing it, etc.

It just needs to be scrapped and start over.

So no, blocking javascript is not the answer either. Unless you want to be left behind with non-working pages because people like me are getting really tired of needing to expend those resources for graceful failure. We don't have the time or the money to do that anymore (not in this economy) and javascript and JQuery (along with the other JS frameworks) are here to stay. So many of the "shiny" features out there only work in an event based framework where I can modify the DOM without reloading the entire page.

The whole mess is just terrible and we keep refactoring code to old email and document markup systems without addressing the underlying issues at all.

Re:Flashblock is my middle ground

[Cramer]

The root issue is people are stupid and lazy. If your 250k of JS actually does things, that's one thing. When you include (an uncompressed) version of JQuery to use one tiny function (that you don't JQuery to actually do), or worse don't use any part of it, you're wasting everyone's time and bandwidth.

Every time I research how to do something in a browser, every. single. fucking. time. The top 90 out of 100 answers is to load some enormous bloated framework widget toolkit and kitchen sink replicator. for what has, in every case so far, boiled down to 1-2k of formatted, human readable JS. Apparently, I'm the only motherf***er in the universe that cares if his web page is 3k vs 300k, in 1 file vs. dozens.

Re:Flashblock is my middle ground

[cas2000]

What we *do* have is a clusterfuck of technology that developed from an interesting idea to effectively share a word processing screen at universities that is fundamentally toxic to us.

no. the toxicity comes from the advertising and the insistence on javascript (and flash and java etc applets).

just displaying documents is harmless. it's the fact that web-dev fuckers (and worse, "designers") want to run arbitrary code on millions of computers belonging to other people that is the source of the harm.

So many of the "shiny" features out there only work in an event based framework where I can modify the DOM without reloading the entire page.

you're making the mistake of assuming those "shiny" features are essential. they're not. in fact, more often than not, they're a PITA and end up being a reason not to return to the site.

if a web site or even just a web page doesn't work without javascript, then it is broken. js can be useful to *optionally* enhance a page, but the page should work (i.e. display the important information and navigation controls) without javascript.

BTW:

CDN's should be registered in the browser as an alternative for any file that needs to be downloaded for a "page".

so CDNs become a back door for malware because they're all whitelisted/trusted. what's the point of managing permissions for a site if that site can just bypass restrictions by uploading their scripts and malware to a popular CDN?

doing that would also allow CDNs to spy on users as they browse from site to site, linking accounts and IDs and activities - same as ad networks now (which is yet another reason to run adblock).

if ads were just static graphics without any animation and without spyware/tracking and without javascript then most people wouldn't give a shit about ads and wouldn't bother blocking them (it was animated GIFs that motivated me to write my first ad blocker in the mid 90s...the text and static GIFs that were common before then didn't annoy me enough to be worth the bother of eliminating)