Superfish Injects Ads In 1 In 25 Google Page Views

← Back to Stories (view on slashdot.org)

Superfish Injects Ads In 1 In 25 Google Page Views

Posted by samzenpus on Thursday May 7, 2015 @11:04AM from the protect-ya-neck dept.

An anonymous reader writes: A new report from Google has found that more than 5% of unique daily IP addresses accessing Google — tens of millions — are interrupted by ad-injection techniques, and that Superfish, responsible for a major controversy with Lenovo in February is the leading adware behind what is clearly now an industry. Amongst the report's recommendations to address the problem is the suggestion that browser makers "harden their environments against side-loading extensions or modifying the browser environment without user consent." Some of the most popular extensions for Chrome and Firefox, including ad-blockers, depend on this functionality.

40 of 91 comments (clear)

Min score:

Reason:

Sort:

To save the internet from fake ads by the_skywise · 2015-05-07 11:07 · Score: 4, Interesting

Google sez we must remove ad blocker functionality!
I smell an ulterior motive..
1. Re:To save the internet from fake ads by future+assassin · 2015-05-07 11:29 · Score: 1
  
  First they came for the non mobile sites
  Then they came for the ad blockers
  ??????
  Profit!
  
  --
  by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
2. Re:To save the internet from fake ads by swillden · 2015-05-07 14:21 · Score: 3, Informative
  
  Google sez we must remove ad blocker functionality!
  I smell an ulterior motive..
  Reading comprehension fail. The summary says:
  
  Amongst the report's recommendations to address the problem is the suggestion that browser makers "harden their environments against side-loading extensions or modifying the browser environment without user consent." Some of the most popular extensions for Chrome and Firefox, including ad-blockers, depend on this functionality.
  I'd expect that most users who install ad blockers consent to having it modifying the browser environment.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
3. Re:To save the internet from fake ads by popo · 2015-05-07 20:20 · Score: 1
  
  Keep in mind that Google themselves promotes AdBlockPlus pretty heavily within their Chrome store, and that Google is whitelisted in ABP.
  If this is indeed an ulterior motive, then it would seem to indicate that Google has become concerned about other ad blockers that fall outside their control.
  
  --
  ------ The best brain training is now totally free : )
No control is the real issue by cstec · 2015-05-07 11:13 · Score: 4, Funny

As a serious coffee consumer, their main problem is you can't customize the cup of coffee. I drink so much coffee that I started making it weaker, and weaker, and then half strength. The last time I stayed in an office with a Keurig setup, I think I nearly killed myself before I realized what was happening.
I'd love to have one, but the 'my way or the highway' reality of those little cups doesn't work. And don't even start on the cost.
1. Re: No control is the real issue by Anonymous Coward · 2015-05-07 11:15 · Score: 1
  
  Lol wut
2. Re: No control is the real issue by cstec · 2015-05-07 11:17 · Score: 2, Informative
  
  I have no idea. It looked a lot like the previous story on the screen!
  Shouldn't have used the words "no control"
3. Re:No control is the real issue by Anonymous Coward · 2015-05-07 11:27 · Score: 4, Funny
  
  So even the Keurig 2.0 is infected by Superfish? This is worse than I thought!
4. Re:No control is the real issue by SeaFox · 2015-05-07 17:01 · Score: 1
  
  How many cups do you drink total, though?
  1) Get double-capacity mug.
  2) Half fill with hot water.
  3) Make one K-cup of coffee
  4) Pour in larger mug.
  5) Ta-da. 50% strength coffee,
5. Re:No control is the real issue by cstec · 2015-05-07 17:10 · Score: 1
  
  I am humbled the score 5 Funny for "No control is the real issue". I should reply to the previous post more often!
  I'd like to point out by "no control" I was really talking about Google, Apple, police brutality, congress, Depends, the morning after Super Sushi Night and memes with cats
6. Re:No control is the real issue by cstec · 2015-05-07 17:17 · Score: 1
  
  How many cups do you drink total, though?
  1) Get double-capacity mug.
  As it happens, the SO got me this great TF2 'cup.' As it's double sized, I'm usually on #13-14 before I realize I need to Set the Twinkie Down and Step Away(tm)
  Adding water is just.... gads, equal parts repulsive and rational
well, of course it does. by turkeydance · 2015-05-07 11:16 · Score: 1

that's what it's Supposed To Do.
Or disable javascript by Spy+Handler · 2015-05-07 11:17 · Score: 4, Insightful

whoever thought running scripts from random sites and ads was a good idea?
1. Re:Or disable javascript by Anonymous Coward · 2015-05-07 11:36 · Score: 2, Insightful
  
  90% of sites now don't work at all without javascript. It makes for a very boring internet.
2. Re: Or disable javascript by Anonymous Coward · 2015-05-07 11:45 · Score: 1
  
  Then leave. Those 90% of sites click baited you anyways. They never offered you anything that the 10% of actually functional sites can't do. Quit following the crowd if you despise it so much. Nothing I go to breaks from not allowing 3rd party connections and that includes here, YouTube, twitch...
  Anyways, your 90% is BS because YouTube is 90% and it's not broken.
3. Re:Or disable javascript by Anonymous Coward · 2015-05-07 12:18 · Score: 1
  
  whoever thought running scripts from random sites and ads was a good idea?
  Probably the person who never realized somebody could run malicious activities from programs executed on your own computer, and that networking would turn it into a giant furball for the rest of the world.
4. Re:Or disable javascript by MadKeithV · 2015-05-07 19:31 · Score: 2
  
  90% of sites now don't work at all without javascript. It makes for a very boring internet.
  Most sites work fine once you enable their main URL. The ones that show up with a list a mile long of script sources are the ones where you just click the "X" instead.
1/25 = 4% not 5% by Anonymous Coward · 2015-05-07 11:22 · Score: 1

Jeez!
1. Re:1/25 = 4% not 5% by Len · 2015-05-07 11:37 · Score: 1
  
  4% is Superfish, 5% is ALL ad injection. Jeez.
Math check by Anonymous Coward · 2015-05-07 11:24 · Score: 2, Informative

Since when is 5% the same as 1 in 25??
1. Re:Math check by dotancohen · 2015-05-07 11:49 · Score: 4, Informative
  
  5% are affected, Superfish is responsible for 80% of those affected, i.e. 4% total. Here is a restatement of the fine summary, with some noncritical interjections removed (and TFS was missing a comma anyway):
  
  5% of IP addresses accessing Google are interrupted by ad-injection techniques, and Superfish is the leading adware
  
  --
  It is dangerous to be right when the government is wrong.
2. Re:Math check by fph+il+quozientatore · 2015-05-07 18:04 · Score: 2
  
  Also, 5% of IP addresses, not of machines. If one student in your whole university network has it, that still count as an infected address.
  
  --
  My first program:
  Hell Segmentation fault
ad injection isn't all Silverfish does by Anonymous Coward · 2015-05-07 11:34 · Score: 1

It also hijacks all your SSL/TLS sessions via MITM attack with the installation of a self signed root cert. It also goes to some unusual lengths to hide itself to prevent uninstallation, IIRC. It's straightup spyware.
Why should add blocking require side-loading? by TheSunborn · 2015-05-07 11:36 · Score: 1

Why should the add blocking plugin require side-loading without user interaction?
It don't as far as I know.
1. Re: Why should add blocking require side-loading? by Anonymous Coward · 2015-05-07 12:16 · Score: 1
  
  Only crippled adblockers for chrome do that.
2. Re: Why should add blocking require side-loading? by DMUTPeregrine · 2015-05-07 13:28 · Score: 1
  
  Use a locally hosted caching DNS server. It's very fast even with large blocklists. Unlike a you-know-what that slows down significantly as the blocklist gets larger.
  
  --
  Not a sentence!
Just don't allow all JavaScripts. by Futurepower(R) · 2015-05-07 11:44 · Score: 4, Informative

Just allow JavaScript on the main URL.
1. Re:Just don't allow all JavaScripts. by BlackPignouf · 2015-05-07 19:47 · Score: 1
  
  Seems interesting and reasonable.
  How do you do this? With Ghostscript/NoScript/...?
  Does it work well? A lot of websites use 3rd party js plugins for map display for example.
2. Re:Just don't allow all JavaScripts. by davidleelambert · 2015-05-08 01:37 · Score: 1
  
  That would prevent sites from using a cacheable common location, such as the CDNs that host YUI, for assets that are reused across sites.
  
  --
  note: I have at least one, possibly two other, Slashdot accounts because OpenID creds can't be merged with an older acco
Re:Do as I say, not as I do by Adriax · 2015-05-07 12:14 · Score: 2

Google is providing a service, or is serving ads on behalf of the webpage owner you are viewing.
Superfish is getting ad revenue without providing you a service.
If you can't tell the difference between a legitimate and limited advertiser and leech malware then you need your eyes checked.

--
I don't suffer from insanity, I enjoy every minute of it!
Advertiser: Don't Block Ads by Anonymous Coward · 2015-05-07 12:16 · Score: 1

So Google, an advertising company, recommends that browser developers disable the capabilities that ad blockers rely on? Surprise, surprise. It sounds a little too much like the FBI saying we shouldn't use encryption because a few terrorists or perverts might take advantage. Sorry, I'm not into throwing out the browser with the bathwater.
Firefox hasn't been doing so well lately, but getting out of bed with Google might have been a big benefit.
1. Re:Advertiser: Don't Block Ads by swillden · 2015-05-07 14:23 · Score: 1
  
  So Google, an advertising company, recommends that browser developers disable the capabilities that ad blockers rely on?
  Actually, they recommend browsers disable those capabilities unless the user consents to enabling them.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
2. Re:Advertiser: Don't Block Ads by swillden · 2015-05-07 17:29 · Score: 1
  
  Actually, they recommend browsers disable those capabilities unless the user consents to enabling them.
  Right, disable user-positive features by default unless the user reconfigures their browser to the contrary.
  No, disable potentially user-positive and potentially user-harmful features unless the user approves on a dialog containing suitably-scary text so they will stop and think about whether or not they trust this extension that they're giving control over and visibility into all of their browsing.
  It's fine to actively prompt; no need to require users to go searching for the setting. But it's important to give users the control, so drive-by extension installs (like Superfish) don't assume it for them.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
25th Post! by BadPirate · 2015-05-07 12:24 · Score: 1

Buy Viagra!

--
- Holy crap, I've got MOD points! Who thought that was a good idea.
Re:Do as I say, not as I do by peragrin · 2015-05-07 13:13 · Score: 1

Can you tell when looking at a normal webpage which ads are legit and which ones aren't?
The answer is of course no.
All advertising is malware.

--
i thought once I was found, but it was only a dream.
Double your pleasure by UnixUnix · 2015-05-07 15:15 · Score: 1

I run two browsers, main one armored by Adblock Plus, NoScript, settings, etc and another one bare. If there is a hitch I move over to the latter. If it shows me a penis enlargement scheme guaranteed by Google top management I return to the first.
Re:Do as I say, not as I do by Adriax · 2015-05-07 16:18 · Score: 2

I don't see ads because I run adblock.
But I'm not deluded enough to believe ads don't have a legitimate use.
Slapping a sponsored link to adobe at the top of my search for "pdf editor" is vastly different than overwriting the links and sending me to a hack job website trying to sell me genuine counterfit handbags, black magic love slavery spells, and adobe pro licenses for 1/10th what they normally cost.

--
I don't suffer from insanity, I enjoy every minute of it!
No, Stupid by allquixotic · 2015-05-08 02:17 · Score: 1

The relevant software products that are getting extensions sideloaded into them -- Firefox and Chrome -- are both open source. If a vendor like Lenovo wants to put ads in your browser with an extension, what do you think is going to happen when Google shuts off outside extensions in Chrome? That's right -- they're going to ship a fork of Chromium and call it "Lenovo Browser" and make it the default browser. You read it here first, folks.
The solution, for consumers, is simple. Don't use the pre-loaded OS installed on your system. Use a program to get your product key back, then wipe and reinstall from the original OS media. Or if you happen to be able to tolerate a non-Windows OS, just install one of those.
It's also worth mentioning that, as long as Chromium or Firefox is open source, people who want to use ad-blockers will be able to use them, no matter how hard Google tries to stop people from using them. Even if Google used their might to convince Mozilla to take Firefox closed source, another community fork would spring up to maintain Firefox and keep it up to date.
These companies need to understand that you can't strong-arm an idea. Open source code is basically an idea, and as long as there are people, there will be people who are building open source projects that do things that make you lose money. If that keeps you from getting any sleep at night, tough cookies. It's exactly the same reason that we can't defeat terrorism no matter how many people we kill. You can't kill your way through an idea, unless you kill every last human on the planet. This is especially true when tightening your grip makes people want to do that thing you don't want them to do *even more* -- ad blocking has this characteristic to it, too.
1. Re:No, Stupid by mujadaddy · 2015-05-08 06:53 · Score: 1
  
  You can't kill your way through an idea, unless you kill every last human on the planet.
  They're working on that, too.
  
  --
  Populus vult decipi, ergo decipiatur...
  "Force shits upon Reason's back." - Poor Richard's Almanac
Re:Do as I say, not as I do by thsths · 2015-05-08 05:14 · Score: 1

Exactly my thoughts. Both do it against the users interests.
But at least Google is nominally in control of the page, so they have a certain right to do it. Superfish would argue that the user installed it, and so they have a right, too, but the way that it prevents removal indicates otherwise.