Well maybe they should stop allowing download sites that offer ad infected downloads to buy the top spots on the google search results page? https://i.imgur.com/Ote9c2k.png
Adwords is probably one of the main infection vectors for malware these days.
This, right here, is why I have no qualms installing Adblock Edge and insisting that my parents (and anyone else who isn't very tech-savvy) do the same.
It's not about not wanting to support independent bloggers. It's about making sure that unsuspecting users don't accidentally download malware when they're doing something mundane like downloading their web browser.
In the age of the web, Adblock is the new anti-virus.
It's the 30 second youtube ads that finally got me to install adblock again after 3 years without.
Also the javascript late load "oops click" tricks they're pulling to scam advertisers now (google search, youtube, bing search - all use late load javascript to get misclicks).
> It's the 30 second youtube ads that finally got me to install adblock again after 3 years without.
Same here. I couldn't be bothered to install AdBlock for many years, but the mandatory before-video ads were the straw that broke the camel's back for me.
> Also the javascript late load "oops click" tricks they're pulling to scam advertisers now (google search, youtube, bing search - all use late load javascript to get misclicks).
I've lost track of who is trying to scam who. The users are collateral damage anyway.
> Same here. I couldn't be bothered to install AdBlock for many years, but the mandatory before-video ads were the straw that broke the camel's back for me.
That's because people in general don't mind wasting a bit of screen space but the mandatory wasting of time is of a completely different order. Time is our most precious capital.
I don't mind the 30 seconds ads (to be fair in my area very few video ads are unskippable on Youtube).
I consider these ads the price to pay for a free video website like Youtube. I could even consider paying to remove ads in Google products (or for something like Google Play Music Unlimited that also remove ads on Youtube now that it will be used for music as well).
I use uBlock though in order to remove the numerous popup/popunder ads on some websites. These are just a pain in the ass without any justification (and most of the time are tied to suspicious offers).
I do mind them, because the most common use I have for YouTube is background music and short clips. A song is usually 3-4 minutes long, which makes the ad 12-16% as long as the content. Clips are even shorter, and the very disruption of my state of mind is annoying.
And what is stopping them from having the placeholders a specific size, instead of expanding them when the javascript finally loads/starts up? If that sort of thing was unfeasible to do then fine, I'll give you your point. But they have no excuse. So they're either just too lazy to do it properly (and enjoy the nice mis-clicks on ads) or they just like the mis-clicks on ads and did it purposefully.
I'm not familiar with the systems, but I imagine that not knowing the eventual size of the ad would prohibit that. Or the fact that you'd have to have the user insert some HTML alongside your currently very simple <script> entry.
This is a good point. I often take for granted how quickly I can recognize advertisement from non advertisement. I attribute most of it to spending my early days on the Internet reading marketing forums and running ad campaigns myself. Nowadays marketing is very subtle. Often you find yourself reading content and don't even realize somebody paid for that content to build their brand, drive traffic, etc. Look at recipe sites for example. If you watch your ad blocker count the ads, recipe sites always have one of the highest numbers. Who would ever think that if they didn't know what to look for?
My rule of thumb is "if nobody would write this without getting paid for it, then somebody probably got paid for it."
I have a google alert for one of my open source projects (APSW) and every day almost they email me one or two sites where it has popped up. Virtually every one has a bizarre name, and on going to the site it is content obviously generated using Markov chains from other sites and incomprehensible to humans.
Of course there is no way to tell Google that these aren't real sites (I tried) and distinguishing real text from Markov chains using a computer is hard.
I keep wondering what it will take for them to figure out bad content, both for the computer (javascript etc) and for people (english etc).
Adwords has had a policy against ads for malware for many years now. (I helped develop an earlier version of that policy.) But it's not entirely effective. Unreviewed ads, poorly reviewed ads, and ads for sites that just barely skirt the boundaries of being malware are all regular problems. For some historical perspective, here's a 2007 article: http://www.infoworld.com/article/2663560/application-develop...
The reality is that there is virtually 0 market for user-friendly PPC ads on browsing sessions noncommercial intent. Therefore scammers (users have a wider definition than Google) will always win the auctions.
Absolutely. Though they're apparently changing their policy sometime this month to require ads advertising downloads be that apps' "primary download source".
It looks more like the OP's version to me, including 'softonic' as the third linked one. The top two are mozilla's (and I use an ad blocker so I don't see the ad).
On Chrome the first 6 links are mozilla's then the 'download sites' start.
You can't take a single search as evidence that things have changed. Ads won't always show for the search terms for various reasons (geography, language, platform, lack of ad budget etc).
My 2nd link on google when searching for "firefox" is an ad-injected installer on firefox.safe-downloading.com (appreciate the irony of the domain name).
To be fair, while the sites in your screenshot are listed in Google's index, they aren't the top results for "download firefox". There are 4 official Mozilla links before the crap links not to mention a special Google feature box (or whatever they call it) at the top with a direct link to Mozilla.
I googled for "Open Office download" on a family's computer and went with the first download -- download.com or cnet, I think.
It downloaded very fast and I thought "well, maybe it's just an initializer that torrents the rest". NOPE. Within 30 seconds of the installer, it prompted to install an ad-bar in the browser. I quickly closed and researched for the official site.
It was scary, being a technical professional, and executing adware(malware?) installer while trying to install an open-source alternative to the most popular word-processor for a less-than-savvy family member.
Off-topic, but: these days you should probably use LibreOffice, since most developers jumped ship to the fork and it's seen considerable improvements OpenOffice.org hasn't.
This is fundamentally Microsoft's fault. The shareware culture of Windows is insanely insecure these days. Any sane operating system should have a packet manager, with all the software you could want included, and nothing you don't.
With Microsoft having that large a share of the PC market this would result in anti-trust lawsuits.
I think this issue must be solved on a regulatory level, i.e. Google (and Bing!) should be punished for providing malware links (and the actual providers of course).
Yeah it's Microsoft's fault for allowing third-party applications be be installed on their OS. You'd never see OSX or Linux letting people install software without going through a walled garden.
It isn't really a walled garden. It's just that pretty much everything is inside the garden and there is very little outside that that anyone would want.
Interestingly enough, the only commercial software that Linux people regularly install is it's own separate walled garden; Steam.
>You'd never see OSX or Linux letting people install software without going through a walled garden.
I can't speak for or against OS X, but with respect to Linux this is plainly false, unless by "Linux" you mean "Android" or by "walled garden" you mean "basic user authentication."
Ad injection can cause other problems, too, especially when combined with people whose understanding of technology is lacking.
A few years back I got a job to do a wordpress site for a client. However, I wasn't dealing directly with the client, I signed on through a friend who was a fellow staff member of a forum I frequented. He agreed to create their site despite the fact that he was almost entirely technologically illiterate. His skills were at the 'barely read email' and 'be puzzled by OSX window decorations' sort of level. So, I agreed to do the job.
After working on the site for a couple of weeks, one day I received a call from him. He was quite upset as he was seeing porn ads and random nonsense characters on the blog. I investigated and found no trace of ads or foreign code, using several devices and several separate Internet connections. However he could see the ads on multiple devices in his house. Attempts to get him to try another Internet connection like his phone service were unsuccessful. I was pretty sure there was nothing wrong with the site, which was hosted on my VPS along with a couple of other sites that had no sign of issues. However he grew progressively more worried that the client would see these ads on the page, which was live for some reason. I even engaged the help of 20 or so people from the forum to check and they all agreed that no porn ads were visible to them. However this just upset my friend more as he felt embarrassed, but still convinced there was a problem. I suspected he had a virus on the systems at his house (all Apple...) or his router. It ended up with me being banned from his forum and being forced to quit the job... Before finally someone reset his router and the porn ads disappeared.
So, content appearing from unknown sources has definitely caused me problems in the past.
You can't trust anybody except for open source repositories.
The easiest way to get such trash on your computer is installing software from a commercial vendor. Oracle is one major source of headache, if you aren't careful you'll find your 'java' install also gives you a severe case of malware/crapware.
There are whole companies dedicated to this concept of piggy-backing junk.
Downvoters are invited to explain what's wrong with this comment, I see installmonetizer as one of the low points in the history of YC and watsi as the high point, possibly the high point in VC investing in the last decade or more.
I agree with that in principle, but: YC invests in companies at an absolutely enormous rate, they have relatively few 'rotten apples' when you take into account that they encourage companies to pivot post investment and that they couldn't change what a company actually does even if they wanted to (they own a very small minority of the stock after all).
If I were in YC/PGs shoes I would have dropped installmonetizer the second I found out what they did but then again, I don't run the most successful start-up accelerator on the planet for a good reason.
In fact, I wouldn't have invested in them in the first place. But on the whole if you select for hackers driven to make money at any cost you can expect to get a rotten apple every now and then.
Whether or not YC should have dropped installmonetizer once it became clear what they were up to (if that wasn't clear from the application alone) is something everybody has to decide for themselves, for me it is clear that they should have.
Also, to their credit I haven't seen them invest in anything as shady as installmonetizer after that point so maybe some lessons were learned.
They were pretty good for years, I'm not sure where you got your 'day 3' reference from but I was an early sourceforge user and they were pretty much like github today in terms of reputation.
Then times got tough and sourceforge sold to new owners and that's when the trouble started.
There was a time where I would tell friends, family, and clients that the top sourceforge projects were the only safe things to download on the internet.
I read the gp comment as something like a distribution repository. Apt-get or perhaps like brew on Mac OS and so on. Checksummed binaries and a single source for each machine.
> You can't trust anybody except for open source repositories.
Meanwhile, in the real world, Sourceforge injects adware in to downloads for open source projects. Trust is more subtle than open source/closed source.
Well, that depends if you read that has a "repository of open source software" or a "repository that is open source". Sourceforge doesn't qualify as the latter.
> True, but then that is not what he said, you conveniently reworded it ;)
I reworded it for generality, but specifically, "You can't trust anybody except open source repositories" does not imply "You can trust all open source repositories" in exactly the same way as, in more general terms, "You can't trust anybody outside of group X" does not imply "You can trust everybody inside of group X".
You can't trust open source repos either; you can only verify them.
And is anyone really reading all of the code they run before they run it? With all of its third-party dependencies?
I don't think open source repositories are safer because they're open source, but precisely because there is no commercial benefit to shoveling BS into them. In fact, with the bigger commercial open source software, you often do see crap you don't want being included as a means to funnel users into commercial channels.
Yes, that's an excellent point, I highly doubt anybody verifies what they install end-to-end. We all put a lot of trust in reputations and a couple of checksums.
You also need to verify that the binary you run is the same source code and be able to identify malware in source code that may be very well hidden. This isn't remotely practical and for even simple software.
The only practical solution I can see is proper sandboxing of applications so you don't need to trust them in the first place.
That's probably where we're headed. Hypervisors running single-application kernels talking via message passing over some networking protocol to display servers and other virtualized hardware.
Am I the only one who thinks this reality sucks? Everything locked down, no way to tweak or repurpose any of your software. I know, there are bad actors out there, etc. but shouldn't there be a limit for destroying utility of things in the name of security?
It definitely sucks to some degree, but it is the same kind of change when going from a small town or a rural area into a big city.
The houses where I lived in Canada weren't locked, they didn't even have locks. In Amsterdam it would take about 6 seconds from the time you left to have your house burgled if you did that.
As far as it reduces your ability to tweak or repurpose your software: I don't think that it has to be that way but it will definitely be harder than in an environment of trust.
Maybe there is an easy way to get both ease of fiddling and very high security but I haven't seen anything like that yet. There are some interesting research projects revolving around 'capability based operating systems' and such, maybe that's where they key lies, or in some other development currently underway.
Why would proper sand boxing limit tweaking or repurposing of software? (I must admit I'm not sure exactly what you mean by that). It just limits apps interactions with each other and the OS environment.
> It just limits apps interactions with each other and the OS environment.
That makes a whole slew of modifications and tricks harder and/or impossible without having access to the sourcecode of the software, which is (on windows at least) not rare at all.
Any kind of interaction not explicitly allowed is then forbidden and the sandboxing will be a lot harder to overcome than two apps on the same machine talking to each other using a third.
Maybe some kind of unified app-to-app messaging protocol can take care of this, similar to how linux systems uses 'dbus' and the likes.
Exactly this. I still remember the times when if I needed to change something in an application, I could just write to its process memory directly. Those were fun times...
What I want is to retain the ability to repurpose the software on my terms. To move data in and out of the software whether software's authors like it or not. It's becoming harder each day, as more and more tools move to the cloud and turn into apps. I'm happy we still have userscripts in the browser but how long will it take before they get banned too?
This problem has many names. "War on General-Purpose Computation" is one of them, but I suppose the "professionalization of programming" is another. How long will it take before you'll need an engineering license to be allowed to use a compiler, or work with a Turing-complete language?
I really hope not to see that day. So, how to avoid it and not be open to security issues like these?
It used to be that you could get a lot of use out of a computer all by itself, nowadays that's changed and the trend to 'always on, always online' translates into having your machine potentially under attack 24/7.
Being vigilant against enabling the war on general purpose computation is very good, it is the biggest threat in the longer term and one of the reasons why I think that all these large silos are a very bad development.
I don't think we have much to fear from the 'professionalization of programming', not if the kind of code I see on a daily basis is anything to go by ;)
There have been numerous attempts at slapping a gateway on the ability to write software for the hardware that you already own, the only environment where this has taken hold is on mobile platforms, I sincerely hope that that is a development that we will sooner or later be able to revert.
But in order to revert it you'd have to come up with a solution for the pandemonium that would ensue if everybody and their brother would use the likes
of 'download.com' or some equivalent to install their software from. Maybe something along the lines of apt-get for phones would
be a starting point.
> I really hope not to see that day. So, how to avoid it and not be open to security issues like these?
I don't know. Part of the answer likely lies in determining who the "owner" actually is. I want to be the owner of my computer, but business interests go against it. For instance, MAFIAA doesn't want me to be the owner, because they want secure means to enforce DRM on me. Other businesses would also like to be the owners, because they can monetize me better this way.
> I don't think we have much to fear from the 'professionalization of programming', not if the kind of code I see on a daily basis is anything to go by ;)
Let's hope so, but I think it naturally follows from Trusted Computing - the technology will enable proffessionalization. Because right now, there isn't much you can do to prevent people from getting their hands on a compiler and using it.
> There have been numerous attempts at slapping a gateway on the ability to write software for the hardware that you already own, the only environment where this has taken hold is on mobile platforms, I sincerely hope that that is a development that we will sooner or later be able to revert.
I hope so, but I fear we won't - that at some point a company will finally figure out how to lease PCs to general population instead of selling them. You'll get a nice, cheap laptop, but it will be locked down, equipped with trusted computing hardware (the company will be the trusted actor, of course) and require to connect to the Internet every now and then to verify everything is ok. Basically, what happened to mobile, only worse. And people will buy into it if the price difference will be significant enough. Actually, I'm not sure what's stopping companies now from doing this.
> But in order to revert it you'd have to come up with a solution for the pandemonium that would ensue if everybody and their brother would use the likes of 'download.com' or some equivalent to install their software from. Maybe something along the lines of apt-get for phones would be a starting point.
Yup. Crap like this is a huge problem, but I'm not sure if it requires locking things down. You can go the Apple way and aggressively verify every piece of software you allow in your repository. This makes you the trusted authority, which carries risks like abuse of trust, but solves the problem without heavy sandboxing.
So far I see the issue of distributed vs. centralized as a tradeoff between secure but inefficient, and efficient but with serious failure modes. I wish there was a way to capture benefits of both while avoiding the risks.
> I hope so, but I fear we won't - that at some point a company will finally figure out how to lease PCs to general population instead of selling them.
They'll give them away just to get you to be part of the ecosystem!
Apple does provide some verification services but the major reason the app store in its current form exists is as a choke point to extract revenues and as a way to remove any credible competition to Apple supplied applications.
I haven't done this in most cases, but for some systems this is a practical action to take (embedded system, minimal software, security sensitive). The reality is any modern OS + apps for "basic" functions is far too complex and has too many SLOC in too many disparate languages for any one person to be able to reliably verify it all. Knowing that the very simple basic functionality of all the code you plan to run on an embedded device is secure though is still an achievable objective.
The Linux model: you install software from repositories curated by people you trust - distribution maintainers. No viruses, no bundled adware, just simple no-bullshit software repositories. I have a hard time understanding why techies continue to put up with Windows and OSX.
Perhaps because in OS X I (mostly -- about on par with Linux) install software from repositories curated by people that I trust (Apple, Homebrew), and then I don't have to put up with Linux.
Agreed, every time I clean or set up a Windows computer for someone I marvel at how poor the entire process is, and how little it has changed in the past 15 years.
OSX still has very little adware attached to downloads, in my experience - plus there's the Mac App Store. It's pretty much just Windows users who endure that.
Setting up a windows 8 pc is wonderfully simple. Theres an option to reset to defaults, and the default driver discovery is quite good. Windows 8 has picked up display drivers, wifi drivers and pretty much everything else that I care about in every laptop and desktop pc I've tried. I haven't tried Linux recently (about two years ago) but when I did I had major headaches with a Broadcom wireless driver, and a Bluetooth chip, that both worked flawlessly on windows 8.
Installing "common" software is a doddle too, wth Ninite. You get Firefox, vlc, Dropbox, spotify, Skype (now in windows updates though) notepad++, up to date Java and .net run times, pdf reader etc etc. I set up the installer once about 3 years ago and the same one still works, with a one click update.
>I haven't tried Linux recently (about two years ago) but when I did I had major headaches with a Broadcom wireless driver, and a Bluetooth chip, that both worked flawlessly on windows 8.
As someone who has used Debian almost exclusively for a few years now, I've got to admit that Windows 8 really does handle drivers nicely. Linux systems are generally pretty good about drivers these days, at least if you allow proprietary drivers, but nothing beats total out-of-the-box automation.
The most popular Linux distribution for end-users (Ubuntu) comes pre-installed with adware. To be fair, they ask you nicely whether to enable it nowadays, which makes it a few magnitudes better than most Windows adware. But it's sadly still enough to refute "no bundled adware".
At least you can get some projects crap-free from https://ninite.com/ The notable exception is Flash. The only place you can get up-to-date, crap-free versions of Flash is this URL: https://www.adobe.com/products/flashplayer/distribution3.htm... and scroll down, don't use the big "Download Adobe Flash Player" button on the right.
These companies are exploiting trust for the sake of making money. We all lose when the trust is destroyed just for a few to make few extra dollars. Privatized profits, socialized losses.
Gentoo systems refused to accept the backdoored source code because the SHA1 hash no longer matched - that's how the backdoor was discovered in the first place.
>You can't trust anybody except for open source repositories.
That is patently false.
Established profitable companies in a market with multiple competitors usually do not fuck with their customers, if they charge up-front for their product/service.
On the other hand, companies that give away stuff for "free" have to find unique ways to pay the bills (be it hosting fees, or hardware costs, or developer time, etc). In recent years the most common way is to create some way to essentially trick people into clicking ads.
Open Source repositories have not found any long term sustainable method to get compensated for their hosting fees or hardware costs. At the moment, they are run on donations - mostly from commercial vendors, universities and the like. At some point in the future, lets say if 500 million desktop users all start using those repositories, there will come a time when that cost is going to stick out on a balance sheet. I hope that they figure out a way to get paid for their efforts by then.
> Established profitable companies in a market with multiple competitors usually do not fuck with their customers, if they charge up-front for their product/service.
Lenovo (and lots of other hardware manufacturers) are proof positive that this is absolutely not the case. There isn't a windows machine bought over the years by my extended family that did not have a whole pile of junk on it right from day one including ad injectors such as described in the article.
Whether or not open source is 'viable' for large numbers of users is no longer a question that needs settling. For bandwidth we have torrents if need be.
My computer didn't come with any junk on it. Even otherwise, pointing out what some companies do in ONE market means nothing. That is why I used the word usually. I guess it is no longer expected to read what someone says before responding. Good job on that.
Heh. :) Even though I could, I won't disagree with you.
Anyway, I view most comment sections as informal/idle chit-chat, and not courtroom/dissertation situations where everything needs to be cited and/or "proved". When I'm commenting I'm usually smiling to myself or amused, not angry or trying to "win" anything.
Open source projects are often developed by volunteers, and hosted by free services like github or bitbucket.
I've actually never seen an an freedom respecting project that included adware, and I can confidently say that the reason for that is that if a team were to do that, somebody would fork the repo and remove the offensive junk. As long as it gets caught, it's a self healing ecosystem. The same cannot be said for non-free software, as the pool of people who could find junk is so much smaller, but also because if junk were to be found by an employee, they'd have very little power to actually do anything about it.
Open source is volunteers, and when its not, they run on donations. When the donations stop, they stop. Some have found clever ways to make money, such as pay4premium or pay4support, but I've never seen ad injectors. Those come from third party distributors who aren't affiliated with the projects and can be avoided.
I'm a Chrome extension author and I've been contacted at least a half-dozen times by shady companies that want me to add some "totally unobtrusive" ad-injection javascript into my extension.
I've been told I could make $0.50/user based in the US per month. That would be a nice raise, for sure, but I'm not the type of person willing to sell out my users to make a little extra dough. Plus I am a user of my own extension, and I don't want ad-injection. And how long could one possibly retain users once you start injecting ads? Probably a steady decline until your left with the users that don't know where the ads are coming from.
I know this isn't the place or time, but I got your extension and I would like to request that the archive.org music player be added to it. I do not know how to contact you through your site or send a pm through here or github.
If you turn on CSP reporting for your web-site you'll see a LOT of reports about attempted script injection into your site. When you research it you'll find that these come from malware/extensions which are pushing ad content and other nonsense.
Similarly, if you have a site set up to make an ajax connection back to your server whenever an uncaught javascript exception happens (protip: if you do this, make sure to throttle it, or else if you push a bad update that makes users' browsers get stuck in a loop throwing errors, they will all try their damnedest to DDOS you!), then it's very easy for most of the reported errors to not actually originate from your site's own scripts but be from browsers broken by adware. I've been very surprised that I haven't seen more talk about this until now.
I remember trying to track down a bug a few users reported, and I finally discovered that the users all had a specific piece of malware that replaced the javascript setTimeout function with a version that only took two arguments, which caused my code to break in frustratingly subtle and mystifying ways.
How is this not simple vandalism? Throw the people responsible in jail.
If they are outside the country, freeze their american bank accounts <i>and</i> the bank accounts of any business that advertises with these injected ads. Precedent: we already have laws that, for better or worse, require hardware stores to perform age checks when someone buy spray paint.
This isn't primarily a software problem. This is a problem because nobody is enforcing vandalism laws which encourages the adoption of "vandalism as a business model".
I believe this. We've recently been tracking down bugs coming from users of a web site a friend and I run. We couldn't figure out what was going on until we realized that some injected code was stomping on our site's code and breaking everything. Grrr. So now we have to decide if we want to change all our code to be way more defensive (or offensive) so that we work in the face of hostile injected code. Or perhaps we just live with 5% of our users not working.
Given the number of insanely infested windows machines I've fixed for friends and relatives, I'm surprised it's so few. On the other hand, I suppose most of those people use Bing on IE since it's never occurred to change the default, as they probably don't distinguish between Google, Yahoo and Bing anyhow.
I am one of these spammers. I had a chrome extension and was approached by revjet.io about adding injected ads. The ads typically overwrite the sites normal ads.
I see it as stealing the ad revenue from the content creator(which is often Google), which is the same as using adblock.
(the extension mentioned that ads were being used and you could also disable them)
The ad network whose script/iframe is directly injected onto the top frame can know fairly easily, since they know which accounts should be linked to which domains, however when these inevitably get resold, these subsequent ad networks have a much tougher time.
What ends up happening is that the first thing that gets injected is someone totally shady ad network that doesn't care, who will then resell it to someone slightly less shady, who will bundle it with a pile of other traffic, etc, etc, until it's been laundered enough times that it's hard to separate this out.
An ad injector by definition is a proxy that sits somewhere between the user's initial request and the end web server. It could be a local program, a browser extension, a remote proxy, or any proxy on the route of request to response. If it has access to data in transit, it can modify it. Often it doesn't even need access to the data because it can just append a block of javascript to an incoming HTTP response.
Obviously this is harmful to users because the implication is that the technique also requires SSL stripping, or trusting invalid root certificates like we saw with Superfish. It's also harmful to advertisers and ad networks because it pollutes tracking data and makes it hard to determine click fraud.
But let's not kid ourselves. Google does not care about the user. They simply have no need for ad injectors because they already have far superior methods of tracking us and invasively advertising to us (reading our email, watching our GPS location, knowing when we are home, what videos we watch, etc.) To google this is just a nuisance and they get some free PR for standing up to it along with a respected academic institution. Yay, google! Protector of users!
But wait. Isn't this exactly what Verizon, ATT, and Comcast are all doing? Verizon was modifying HTTP headers during the summer. ATT charges users not to inject tracking into packets. Comcast injects HTML into xfinitiwifi connections. How is this any different? Sure, tracking headers do not manifest themselves in annoying pop up ads, but they are still messing with user requests and have almost as many security implications.
If Google is going to take a stand against ad injectors, they need to take a stand against all packet injection. These scammy popups are just the bottom of the totem pole. If they could get away with what the big telecoms are doing, they would obvioisly do that instead.
Google has mostly transitioned to HTTPS which makes network packet injection/sniffing useless on their sites. Since it's no longer their problem, why do they need to take a stand?
If Verizon owns your phone (literally, in the case of their edge program), all they need to do to inject tracking into HTTP packets is install a trusted root cert for themselves on your phone. One might argue that's not even wrong for them to do.
Also, Verizon and ISP's in general don't need access to unencrypted HTTPS data to track you. HTTP is an application layer protocol (top of OSI model), but your ISP can track you all the way down to the physical layer (bottom of OSI model). They still have all the metadata of your packets, even if they don't have the unencrypted content of them, because they literally own the wires/spectrum that your device used to send data. That means they can see when you use the Internet, what IP addresses you go to, how much content you send to each, etc etc. I don't think I need to explain to HN how much you can extract from metadata.
My point is that Verizon is not playing the game of injecting the actual ads you see. They inject tracking codes, or track you in other ways, but they still sell that data to the same advertisers who benefit from ad injectors. (Because ultimately, an ad is an ad, no matter how it got in your computer, and if you click it, the advertiser stands to benefit.)
Google should take a stand because the problem of ad injection is a symptom of the bigger problem, which is messing with user traffic in general.
Perhaps the solution is breaking up control of the OSI model. The companies running your cable should not be the same ones servicing you in the application layer.
These guys are pretty annoying. And it ads an "untrusted" advertising stream to the page, a channel which has been the source of malware infections in the past.
I'm really curious how this all turns out. I can't imagine the deteriorating system lasting another 5 or 10 years. So what happens after? Clearly advertising has _some_ value, I loved BYTE magazine as much for the ads as I did for the articles, and there are under served retailers (a lot of Business to Business stuff) as the trade magazines take hits. So how do people discover this stuff? How do they find those opportunities when Internet ads are dead?
Or do we get to a more reasonable advertising load? Something without flash/js jiggling around and trying to get your cursor. How will sites let users know they don't allow "invasive" ads? How will users respond? For me at least I think it is the difference between Web 2 and Web 3.
How did you discover websites before advertising took over the web?
I don't remember having any trouble discovering new stuff, rather the opposite, word of mouth and following links gave an endless stream of new and interesting stuff.
This site alone generates more info in that bracket than I can keep up with (even though I really try to).
GNN ? :-) Generally discovery of web sites wasn't nearly as difficult as discovering new products. Its the flip of that problem that is hard. Which is BYTE would sell advertising to companies that wanted to reach people building/using/programming microcomputers like me. But these days people consume their information from a thousand sources, whether it is a mention here, or an article on reddit, or Ars. So how does the advertiser in the 21st century "reach" the people likely to be interested in new offerings about their particular experitise? And especially how do they do that when the existing mechanism, site advertising networks, has been burned to the ground by abusive ad networks? Do they hire consultants to find and make agreements with the 10 sites they want to "sponsor" for the roll out of Product X ?
I don't worry about finding content, but I do wonder how folks who have something cool will reach me.
> “Unwanted ad injectors aren’t part of a healthy ads ecosystem,” Google Safe Browsing engineer Nav Jagpal writes in today’s announcement. “They’re part of an environment where bad practices hurt users, advertisers and publishers alike.”
Healthy ads ecosystem? WFT? The internet is inundated with garbage because of the perverse incentives wrought by ad-based revenue models, not to mention the other costs of advertising: https://news.ycombinator.com/item?id=8585237.
Google is to me and to a growing number of people an "unwanted ad injector" built into a vast number of web-sites which would, if Google and others didn't make it so easy to get ad revenue, be forced to do what you're supposed to do in a healthy free-market ecosystem: make products good enough that people are willing to pay for them.
> Google is to me and to a growing number of people an "unwanted ad injector" built into a vast number of web-sites…
The difference is that those websites willing allow ads of a specific type to be injected into themselves. The browser toolbars inject ads into everything, which is annoying (and breaks sites due to poorly coded injection).
I'm with you though—ads of any type are pretty annoying. But that's what adblock is for. :-)
That's funny as it is mostly Chrome extensions that inject adverts from what I have seen. I wondered why Ghostery was blocking 20 trackers on YouTube - it was all the random extensions that require full access to everything.
There is a while industry of Pay Per View (PPV) ad networks that basically operate this way. A few that come to mind: Trafficvance, LeadImpact, Media Traffic and DirectCPV.
I don't know where Trafficvance gets their traffic but it seems to be pop-over ads probably from some installed software. DirectCPV seems to be interstitial ads that the sites actually choose to use (think big news sites with an ad before you read the article). Most of them seem to be spyware/crapware driven. Those are the only two I've worked with in the past so I can't speak on the others.
And this is why open source, combined with trusted repos is the way to go. Granted, I do have a few closed source apps (Steam, games, Chrome and Opera contain open source bits but are also closed source), but those are apps I mostly 'trust' (I don't trust them 100%, but then again I'm also not pouring through the Linux kernel code).
Best way to avoid scams is common sense (if something looks dodgy, it probably is).
In the case of chrome extensions and apps, Google was working on an ad solution a couple of years ago but didn't end up releasing anything. In light of no viable monetization solution for this kind of software it's natural devs have to resort to this kind of practices.
I see ad injectors installed on all my friends and family computers.
I think people has developed some kind of ad-blindness.
I remember a friend using facebook and some crazy and animated ads were taking 80% of his screen, I asked him "doesn't this bother you?" , he says "meh".
I wonder if the users who have 2 or more ad-injectors installed did not get "re-infected" but rather the first infection opened the door to more? Or maybe it's a specific vulnerability that is being exploited by multiple spyware vendors?
Browsing sites on my Android phone is the worst. I frequently get re-directed right off the page to either Google Play to install some dodgy app, or some site that tries to download the APK directly.
This happens a lot on iOS too - even some respectable sites have ads that open the App Store without any user intervention. I'm not sure why Apple allows this.
I've had it happen even on imgur and seemingly respectable news sites. I would expect to get an "Open the App Store?" dialog, but I suppose people find ways to circumvent that.
Most extensions and toolbars have access to the DOM via browser javascript methods (Safari, Chrome, Firefox), or C++ Browser Helper Objects (BHO's) in IE, so they can inject and redirect content if the user installs it.
That HTTPS supposedly keeps out ads like this was one of Google's selling points for suggesting HTTPS to publishers. I was expecting this article to end with "and that is why all sites should be running HTTPS now".
5% is a lot. If HTTPS reduces this number to 1%, it might be worth the change.
HTTPS will keep out injection during transit from the server to your computer. But it will do absolutely nothing against toolbars and other browser extensions and that is what this article is about so at a guess the 5% is on top of injection in transit.
Why does the browser even allow any toolbar/extension to modify the content that was delivered on a HTTPS connection. Isn't the data that is delivered over HTTPS pristine that it should not be modified at the browser endpoint by the browser.
I am a layman in security and do not understand a lot of this. May be I missed something here. Is my question correct?
Extensions MUST be able to modify content. Think about noscript or adblock - if ads were served over https, and you were not allowed or could not technically block them?
If analytics trackers were all over HTTPS and can't be blocked or disabled?
Adwords is probably one of the main infection vectors for malware these days.
Previous rant: https://news.ycombinator.com/item?id=8879229