Slashdot Mirror
Malvertising Up By Over 200%
An anonymous reader writes "Online Trust Alliance (OTA) Executive Director and President Craig Spiezle testified before the U.S. Senate's Homeland Security and Governmental Affairs Permanent Subcommittee on Investigations, outlining the risks of malicious advertising, and possible solutions to stem the rising tide. According to OTA research, malvertising increased by over 200% in 2013 to over 209,000 incidents, generating over 12.4 billion malicious ad impressions. The threats are significant, warns the Seattle-based non-profit—with the majority of malicious ads infecting users' computers via 'drive by downloads,' which occur when a user innocently visits a web site, with no interaction or clicking required."
And is expected to peak an the Monday before the first Tuesday in November
The others being performance and functionality related. I don't like ad's due to the security risk, and they can slow down my machine and make it very fucking hard to see the article.
If your site has harmless ad's, that is one thing.
On the other hand, if your site can only survive by being paid for with ads, you need a new business model.
If you ignore ACs because they are anonymous - you're an idiot.
> On the other hand, if your site can only survive by being paid for with ads, you need
> a new business model.
Like Slashdot, you mean? Or is this site supported by the Bandwidth Pixies?
I find NoScript extension convenient.
It's useful, I don't know if it's convenient. Most sites won't even load anymore if you have Javascript turned off.
"Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
testified before the U.S. Senate's Homeland Security and Governmental Affairs Permanent Subcommittee on Investigations
That has to be the most ridiculously long name for bullshit I've ever seen.
They're talking about 2 different things. Malware advertising is "your PC had errors. Click here to fix it" and it download some registry nagware bullshit. Drive by downloads are not ads at all. It's an exploit kit and it's what happens when the ad blocks get hacked. It's not like someone supplied exploit code to Google's advertising program. The article is talking about 2 completely different things.
I think he's saying all content needs to be either paywalled or made or sponsored by the wealthy and powerful.
How can I believe you when you tell me what I don't want to hear?
On the other hand, if your site can only survive by being paid for with ads, you need a new business model.
So you would rather them charge you directly?
That model has worked pretty well for Google too.
---- Booth was a patriot ----
The first rule of the bandwidth pixies is you do not talk about the bandwidth pixies.
"It's useful, I don't know if it's convenient. Most sites won't even load anymore if you have Javascript turned off."
It's a huge timesaver. If they are not returning a webpage I figure that out immediately and move on to another site that does. With default settings on a modern browser you can only figure that out later through more subtle clues, and in the meantime you have infected your machine.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
When the culprits are found, remove their digits via guillotine. If that doesn't persuade, remove thy arm... Problem solved the digital way! ; )
Will it be protected by DRM?
Or is this site supported by the Bandwidth Pixies?
At one point, yes. I was one of them. I worked at an ISP and we gave Rob Malda a Pentium Linux box (slackware, IIRC) to host images.slashdot.org when his T1 started getting full. We gave Slashdot free hosting and bandwidth for about 2-3 years, until he moved on to other servers.
-- I have a private email server in my basement.
Good, now I don't have to say it. I'll just be among those who agree with it.
This is no different, in my opinion, than having a "smart TV" (or an xbox360/one) in your livingroom and having advertisers gaining access to your entertainment device. For many people, there is literally no distinction. We are not required to hand over our privacy and security to support someone else's business model. Some would say "if you consume, you are morally obligated" but I disagree.
Someone needs to stand in front of congress and say "hey, this isn't a problem for Firefox users because they have a convenient and largely effective means by which they can protect themselves. MSIE and Chrome, not so much, and this is by design. Talk to the companies who support these malicious advertisers about why they choose not to protect their customers."
We updated the mantra to include "and keep your plug-ins and browser up to date"
Music is everybody's possession.
It's only publishers who think that people own it.
Fuck Beta
~John Lenno
This is why I give ABP as SOP for all of my builds and by doing so? I've dropped infections right off the chart. people send their families and friends and business partners to me because "When he sets it up they don't 'slow down' and 'get buggy' which with modern OSes mean malware. As I have said before if you want to support your website with ads? Fine then follow best practices, site based only, no leasing out to ad farms, no flash or java, and if you follow best practices? ABP will even put you in the "good adverts" column and whitelist you by default. But MY customers shouldn't have to pay me $75 a pop to clean the messes YOUR business mode makes. As I said on the Escapist when they did their "poo poo bad adblockers" bit "Either you stand by your website and pay the damages when you infect the viewers or you can STFU because nowhere does it say people have to put their machines at risk simply because you are too lazy to vet your ads". ironically the second I posted that? A half a dozen behind me slapped up links showing the number of infected ads run by the Escapist that year which put them in a "high risk" category. Needless to say they moved to another topic right quick LOL.
Oh and as for your sig? I ignore ACs because there is frankly no point in ACs at all. For every insightful AC there is a hundred trolls so having AC doesn't improve comments, and since an AC will never see your response there is no point in responding to them as it will never be seen. So as I see it ACs are only good for one thing, and that is posting without fear of taking a karma hit...aka being douchebags and trolls. So why should i waste my time giving a fuck about somebody too God damned lazy to spend a whole 2 minutes to make a UID?
ACs don't waste your time replying, your posts are never seen by me.
The usps should vet everyone that sends mail, to ensure consumers are protected. :-P
The others being performance and functionality related. I don't like ad's due to the security risk
Am I missing something here? How insecure does your browser have to be to allow insecure code to be run just by visiting a website? I thought we were past the days of IE6!
== Jez ==
Do you miss Firefox? Try Pale Moon.
When websites vet their advertisement and host the stupid things, I'll let them through (and in fact do so).
Too many web sites which run ads are buying them through a chain of multiple resellers. Under current law, the web site running the ad can usually disclaim responsibility for hostile ads. That may change. The article is about testimony before the U.S. Senate's committee on homeland security.
The site that displays the ads should be held responsible. Sites which run ads would then need to protect themselves by legal and technical means. For example, if you run ads on your site, your contract with the advertising provider should provide that they will indemify and defend you should a bad ad get through.
Well that's a powerfully stupid idea.
NoScript allows you some measure of control - obnoxious Flash ads, Javascript-driven ads and other bits can often be turned off (due to separate origins) while the main functionality stays on.
Only a small minority of sites flat out won't work without scripting. Just cruise past those idiot webmasters (they were probably making Flash only sites back in the day) and find an analogous site, there are usually many.
Then there are some that bitch if you have it off, like YouTube (they cannot track you as well without it, which is why they whine). But they are still functional. I can make full use of YouTube without scripting, with a Flash downloader. I get better performance than with their shitty streaming thing, anyway.
And always send feedback if a company or individual is clearly clueless over how scripting should be optional to the functioning of a site. If you never write in, they will never know their site is broken in a secured environment.
V
Especially when they can speak for themselves? ;-)
Ezekiel 23:20
If you're running flash, you have no need to worry about javascript, you're already vulnerable.
I think we've pushed this "anyone can grow up to be president" thing too far.
I thought we were past the days of IE6!
Yes, but so are the attackers.
Assorted stuff I do sometimes: Lemuria.org
I'm not sure that the site owners are necessarily where the liability should fall, but it certainly need not be restricted to whoever paid for the ad. For example, if I accept $100 to "go put this box under that car", I will likely face some consequences if I can't articulate a good reason I didn't think it was a bomb.
The ad companies have some duty not to publish malware. Now that it's common enough to have news articles written about it, they can no longer pretend that it's not something they might expect to happen.
It's a bit disturbing that they haven't taken steps on their own since it provides a very good reason why people should block ads.
This is yet one more example illustrating precisely why ad blocking is necessary. The bloggers and others who make their living in the content business howl with righteous indignation at those of us who use these tools, but I submit that their anger is misdirected. On the contrary, it's the advertising networks who rightly deserve their wrath for allowing their business to become a cesspool of infectious viruses, worms and frankly worthless crap. Indeed, it seems that their motto is, "our advertising services are the right thing for anyone with a credit card, no questions asked." So I ask you, why should visiting your site without ad and script blocking enabled be akin to walking into the darkest corner of the bathhouse, bending over and letting everyone have their way with nary a condom nor a reach around in sight?
Indeed, I'm not running Flash either. I don't even have it installed. That is why I mentioned using a download utility to acquire videos from websites rather than viewing them in page.
V
I'm doing the same thing for work builds now. Because the Boeing and Airbus catalogs require IE8 or less I've taken the E off of the taskbar and put Firefox in with an adblocker. They have to click on the desktop icon that will take them to the exact site. Our GPO only lets IE visit the sites that we have vetted, and most of those are password protected sites to other vendors and manufacturers.
Since rolling out that image I've had quite a few cow-orkers ask how to adblock at home. I'm only too glad to show them.
-- I have a private email server in my basement.
You can pay directly to get rid of ads here. You can't say that for most other sites.
One of the things I do for friends computers is set the host files to auto-update from security malware sites. These update pretty regularly, unlike Adblock which, although useful, doesn't do everything. Noscript, Disconnect Me, Ghostery and the like are becoming defacto necessary security precautions. Were I running a consumer product's multi-million dollar ad campaign I'd be really pissed at the malware guys.
---- The above post was generated by the Turing Institute. Maybe.
No, he's implying ad servers need to start acting like a responsible industry. They pollute the web with malware and make a lot of sites unreadable with adblocking, owing to the moving, flashing and sometimes audible garbage that cover some sites.
If a simple text article with a few associated photos causes my computer's fan to wheeze and slows it to a crawl, and the ads keep breaking my concentration, AND they pose a security threat that (over the years) has gone from significant to huge, then their business model is just attempting to use you as a pair of eyes with a wallet attached. FUCK THEM.
Website operators like Ars Technica and Slashdot should be researching ways to deliver ads that are safe and sane -- there is no justification for a friggin' advertisement to be otherwise. Its just too bad the advertisers don't trust the content creators to serve the ads themselves. So what we get is a cycle of mistrust and negligence that puts their readers at risk of attack. Its sicko.
correction: 'with adblocking' should be 'without adblocking'
It's very simple: Make ad companies liable for any damage done by ads they show. Wanna bet they start auditing the shit out of every letter they show?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
This is America. CEOs are not executed. At worst, they're "moving on to new ventures" or, if they burned enough bridges "they decide to take a step back from the limelight and concentrate more on their family life".
All, of course, with a fat severance paycheck.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Google needs a new business model?
ayottesoftware.com
You can pay directly to get rid of ads here. You can't say that for most other sites.
Or just have high enough Karma that they'll let you turn the ads off for free.
No, he's implying ad servers need to start acting like a responsible industry. They pollute the web with malware and make a lot of sites unreadable with adblocking, owing to the moving, flashing and sometimes audible garbage that cover some sites.
Google demonstrated all that is really needed are text-only ads.That's the correct ad model, IMHO. No distracting flash, no vectors for malware, and they only take a small amount of screen space. Everything else is Doing It Wrong. Again, just my opinion, but as it turns out I'm always right :P
(Shrug) DRAM is a lot cheaper than my time.
ALL ADVERTISING IS MALICIOUS
Yeah, I tend to switch around plug-ins, as Google changes things to mess up downloaders, downloaders adapt, but not at an equal rate. Right now this one seems to be working (so long as 720p is fine):
https://addons.mozilla.org/en-...
V
Given Google has a marketshare of approximately 98% of the online advertising space, that means we should be seeing text ads everywhere, right?
No, Google didn't demonstrate it. They simply cashed in on the novelty of text ads to buy up the ad networks and make more money because that's what people were paying money for. In fact, Google themselves probably is responsible for all the malware laced ads - given they own the ad networks that serve up the crap. Sure, Google wants to separate themselves away by keeping the original name rather than re-tagging them as Google (e.g., DoubleClick, a Google owned company, or AdMob, another Google owned company).
In fact, I rarely see Google ads these days - the advertising space seems to be like it was before Google Ads. Either Google isn't that good at advertising anymore, or Google realizes that Google Ads just don't rake in the money anymore - keyword targeted ads, and all their Google-owned ad networks are bringing in the real money. It's like Google Ads doesn't exist anymore.
Perhaps Google needs to screen their customers better to stop the plague of malware laced ads. They're the ones in the end serving it up, after all.
"...companies 'should be afforded protection from regulatory oversight as well as frivolous lawsuits.'"
This smacks of "tort reform" and "security through obscurity" and we all know how well both of those worked in favor of consumers.
Some days it's just not worth
chewing through my restraints.
Google sells far more than just adspace. Google sells information.
If you ignore ACs because they are anonymous - you're an idiot.
Back when I was reading the Internet on a 14.4-kbps modem, the bandwidth used by ad banners was annoying, but you could block some of them with a hosts file, and the others weren't really that annoying unless they were using blink tags or animated GIFs. (Popups were annoying enough that most people blocked them pretty quickly.)
But sorry, if my browser is going to run random Javascript or Flash, it means my browser is going to run slowly and unreliably, and there's a risk of malicious content, and it's not safe to allow that kind of stuff.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
If they were smart and had foresight, they would do anything to avoid giving people an ironclad ethical reason why it is their absolute right to block ads in self defense.
That ship has sailed now.
Its also an outright lie because they are confusing ADBLOCK with ADBLOCK PLUS, which are two DIFFERENT PRODUCTS. It would be like someone telling you to get an iPhone and the guy behind you says "I bought an iPhoneY and they sucks"...not the same thing, just has a similar name because the one is trying to piggyback on the other. I have been running ABP for several years and the difference with both Chromium based and gecko based browsers with and without ABP is so low as to not even be worth calculating, somewhere on the order of a couple hundred MB and that is with multiple tabs. if you figure up how much those tabs would be taking if you let the flash ads load? it would be more than ABP is taking, so its a wash really and the amount of time wasted cleaning malware makes running ABP worth a couple hundred MB.
ACs don't waste your time replying, your posts are never seen by me.