Slashdot Mirror
Malvertising Up By Over 200%
An anonymous reader writes "Online Trust Alliance (OTA) Executive Director and President Craig Spiezle testified before the U.S. Senate's Homeland Security and Governmental Affairs Permanent Subcommittee on Investigations, outlining the risks of malicious advertising, and possible solutions to stem the rising tide. According to OTA research, malvertising increased by over 200% in 2013 to over 209,000 incidents, generating over 12.4 billion malicious ad impressions. The threats are significant, warns the Seattle-based non-profit—with the majority of malicious ads infecting users' computers via 'drive by downloads,' which occur when a user innocently visits a web site, with no interaction or clicking required."
And is expected to peak an the Monday before the first Tuesday in November
The others being performance and functionality related. I don't like ad's due to the security risk, and they can slow down my machine and make it very fucking hard to see the article.
If your site has harmless ad's, that is one thing.
On the other hand, if your site can only survive by being paid for with ads, you need a new business model.
If you ignore ACs because they are anonymous - you're an idiot.
> On the other hand, if your site can only survive by being paid for with ads, you need
> a new business model.
Like Slashdot, you mean? Or is this site supported by the Bandwidth Pixies?
It's useful, I don't know if it's convenient. Most sites won't even load anymore if you have Javascript turned off.
"Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
They're talking about 2 different things. Malware advertising is "your PC had errors. Click here to fix it" and it download some registry nagware bullshit. Drive by downloads are not ads at all. It's an exploit kit and it's what happens when the ad blocks get hacked. It's not like someone supplied exploit code to Google's advertising program. The article is talking about 2 completely different things.
I think he's saying all content needs to be either paywalled or made or sponsored by the wealthy and powerful.
How can I believe you when you tell me what I don't want to hear?
"It's useful, I don't know if it's convenient. Most sites won't even load anymore if you have Javascript turned off."
It's a huge timesaver. If they are not returning a webpage I figure that out immediately and move on to another site that does. With default settings on a modern browser you can only figure that out later through more subtle clues, and in the meantime you have infected your machine.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
Or is this site supported by the Bandwidth Pixies?
At one point, yes. I was one of them. I worked at an ISP and we gave Rob Malda a Pentium Linux box (slackware, IIRC) to host images.slashdot.org when his T1 started getting full. We gave Slashdot free hosting and bandwidth for about 2-3 years, until he moved on to other servers.
-- I have a private email server in my basement.
Good, now I don't have to say it. I'll just be among those who agree with it.
This is no different, in my opinion, than having a "smart TV" (or an xbox360/one) in your livingroom and having advertisers gaining access to your entertainment device. For many people, there is literally no distinction. We are not required to hand over our privacy and security to support someone else's business model. Some would say "if you consume, you are morally obligated" but I disagree.
Someone needs to stand in front of congress and say "hey, this isn't a problem for Firefox users because they have a convenient and largely effective means by which they can protect themselves. MSIE and Chrome, not so much, and this is by design. Talk to the companies who support these malicious advertisers about why they choose not to protect their customers."
Too many web sites which run ads are buying them through a chain of multiple resellers. Under current law, the web site running the ad can usually disclaim responsibility for hostile ads. That may change. The article is about testimony before the U.S. Senate's committee on homeland security.
The site that displays the ads should be held responsible. Sites which run ads would then need to protect themselves by legal and technical means. For example, if you run ads on your site, your contract with the advertising provider should provide that they will indemify and defend you should a bad ad get through.
Only a small minority of sites flat out won't work without scripting. Just cruise past those idiot webmasters (they were probably making Flash only sites back in the day) and find an analogous site, there are usually many.
Then there are some that bitch if you have it off, like YouTube (they cannot track you as well without it, which is why they whine). But they are still functional. I can make full use of YouTube without scripting, with a Flash downloader. I get better performance than with their shitty streaming thing, anyway.
And always send feedback if a company or individual is clearly clueless over how scripting should be optional to the functioning of a site. If you never write in, they will never know their site is broken in a secured environment.
V
If you're running flash, you have no need to worry about javascript, you're already vulnerable.
I think we've pushed this "anyone can grow up to be president" thing too far.
I thought we were past the days of IE6!
Yes, but so are the attackers.
Assorted stuff I do sometimes: Lemuria.org
I'm not sure that the site owners are necessarily where the liability should fall, but it certainly need not be restricted to whoever paid for the ad. For example, if I accept $100 to "go put this box under that car", I will likely face some consequences if I can't articulate a good reason I didn't think it was a bomb.
The ad companies have some duty not to publish malware. Now that it's common enough to have news articles written about it, they can no longer pretend that it's not something they might expect to happen.
It's a bit disturbing that they haven't taken steps on their own since it provides a very good reason why people should block ads.
This is yet one more example illustrating precisely why ad blocking is necessary. The bloggers and others who make their living in the content business howl with righteous indignation at those of us who use these tools, but I submit that their anger is misdirected. On the contrary, it's the advertising networks who rightly deserve their wrath for allowing their business to become a cesspool of infectious viruses, worms and frankly worthless crap. Indeed, it seems that their motto is, "our advertising services are the right thing for anyone with a credit card, no questions asked." So I ask you, why should visiting your site without ad and script blocking enabled be akin to walking into the darkest corner of the bathhouse, bending over and letting everyone have their way with nary a condom nor a reach around in sight?
No, he's implying ad servers need to start acting like a responsible industry. They pollute the web with malware and make a lot of sites unreadable with adblocking, owing to the moving, flashing and sometimes audible garbage that cover some sites.
If a simple text article with a few associated photos causes my computer's fan to wheeze and slows it to a crawl, and the ads keep breaking my concentration, AND they pose a security threat that (over the years) has gone from significant to huge, then their business model is just attempting to use you as a pair of eyes with a wallet attached. FUCK THEM.
Website operators like Ars Technica and Slashdot should be researching ways to deliver ads that are safe and sane -- there is no justification for a friggin' advertisement to be otherwise. Its just too bad the advertisers don't trust the content creators to serve the ads themselves. So what we get is a cycle of mistrust and negligence that puts their readers at risk of attack. Its sicko.
It's very simple: Make ad companies liable for any damage done by ads they show. Wanna bet they start auditing the shit out of every letter they show?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
No, he's implying ad servers need to start acting like a responsible industry. They pollute the web with malware and make a lot of sites unreadable with adblocking, owing to the moving, flashing and sometimes audible garbage that cover some sites.
Google demonstrated all that is really needed are text-only ads.That's the correct ad model, IMHO. No distracting flash, no vectors for malware, and they only take a small amount of screen space. Everything else is Doing It Wrong. Again, just my opinion, but as it turns out I'm always right :P
You should put that on a billboard.