Sadly, I've always considered adblocking software a form of security software rather than a mere convenience. Years ago I had to remove a mess of malware from my parent's PC due to a malvertisement received via MSN[1]. Since that point I've installed privoxy and uBlock Origin or similar on all PCs that I am asked to help with.
Despite all of the talk about "blocking the ad blockers", I've yet to receive a phone call from anyone saying this or another web site didn't work, "Can you fix it?" I'm guessing their usage is limited enough that they don't encounter it (my dad does visit Forbes, but I haven't heard complaints).
There's no way I'd surf the internet these days without ad blocking enabled and I rarely white-list sites out of concern for my data. It's becoming as important as personal firewalls / antivirus once were.
[1] There was a brief period during the time that they received the malware that MSN had been hit by malvertizing and they had that as their homepage, but it could have come from elsewhere. The bottom line was that there were no sites in the riskier categories that were in their browsing history and my parent's proficiency does not include a good understanding of "incognito browsing".
I just switched back to that, actually. Months ago, my default browser was Firefox Developer Edition and uBlock Origin had a bug related to LastPass that caused LastPass to hang the browser so I had switched to ABP.
Unfortunately, LastPass started acting up in FireFox a few weeks ago and I decided to give in to Chrome, again, so I've happily returned to uBO.
I go back and forth on which to install for people that routinely come to me for help (I'm a developer, not a helpdesk, dammit!). I'm not sure if it's still the case, but months ago I actually did receive a call from my father when he attempted to install an open-source PDF creation tool that he uses at work on his home PC. It was hosted by SourceForge which uBlock had large swaths of in its blacklist. The installer did contain a bull$#*+ toolbar (several, actually), but he's familiar with avoiding crapware directly placed within installers (and to avoid "Express Installations").
I'll get a phone call every time when a piece of crapware causes videos to play on Google's normally spartan search page, or ransomware is asking for "... something called a 'Bitcoin'? I don't remember installing a 'Bitcoin'."
They don't bother calling when one of the thirty places they get news from stops working.
This kind of exploit is going to keep happening. The most egregious cases involve PageFair, which offers a tool to publishers that circumvents ad blockers. They too have served malware, for instance at The Economist. http://www.theverge.com/2015/11/6/9681124/pagefair-economist...
Sometimes I think we ought to have civil liability for software security. A few lawsuits would shut stuff like PageFair down.
It would be nice if the sites themselves took some responsibility. If your ad contract includes strong SLAs with massive penalties for malware distribution, the company providing you with ads will probably take a bit more time to vet them.
It baffles me that that isn't already boilerplate in advertising contracts. Sites whine about having their revenue impacted by ad blockers, but they make no effort to ensure the security of their users. Why is nobody ever held accountable for these sorts of breaches? Shifting risk to your customer is a horrible idea - nobody would buy a new car without a warranty, so why on earth are we expected to play Russian roulette with our bank accounts, personal data, and often our employer's assets?
I guess the market will teach them sooner or later, but I really do not understand why the current state of ads is so widely accepted by the people who are trying to sell them.
It seems like a circular argument you're having with the parent, but you haven't yet realized it.
The profit motive is the ultimate incentive. If it takes too much time, reduces revenue by too much, or increases expenses, the ad publishers and networks will find ways to mitigate those issues.
If there aren't waves of lawsuits from users who received malware from ads, there is no direct cost. If vetting ads before they are hosted costs money or reduces the bids for those ad placements, networks are incentivized against doing so.
In my experience, most ad networks have blacklists for bad actors but no vetting and thus no whitelists. Blacklisting means there necessarily will be end-users that get infected
and only a percentage of them will know it,
a percentage of those will know where it came from,
a percentage of them will report it, and
only a percentage of those reports will culminate in advertiser blacklists.
It's a numbers game and currently the expenses from lawsuits (the only perceived expense for publishers+networks) is much less than the revenue lost + expenses from pre-vetting all ads before they are used.
Agreed. I did see a few "disable your ad-blocker or you can't use our website" notices a couple months back but haven't seen one since.
It would be interesting to see what happened to their numbers. I imagine they alienated a lot of users by doing that and had to stop.
At my company we have an initiative to roll an ad-blocker out to about 2,500 desktops just to prevent the clean-up costs and improve user experience while using our own white lists. Given our industry, we just can't risk it even with threat management firewalls, OpenDNS Umbrella, and some well-engineered multi-layer security going on.
The disappointing thing for me is that I appreciate well-placed and curated ads. I white list some sites to support them, etc.
It's the websites the remind me of the sort of silliness in the movie Idiocracy [1] are impossible to use, not to mention trust with your computer.
I agree--but the issue will likely be traceability. That is, how can the victim prove that the malware they received came from PageFair? Unless the victim had a log of all network traffic, I'm not sure there's any way to show that.
Yes. It's funny how more and more sites act like it's morally wrong to block ads, but obviously aren't willing to do the work to protect their visitors from this sort of thing.
They could deal with advertisers themselves and manually approve and display text/image ads from their own domain (as it was done in printed newspapers), but isn't it easier to just leave a div+javascript and have the right of arbitrary code execution in a chunk of your page get auctioned off to the highest bidder by several shady ad network?
Just go to www.bbc.com and look at what domains your ad-blocker denies: edigitalsurvey.com, chartbeat.com, googletagservices.com, scorecardresearch.com, effectivemeasure.net, iperceptions.com, krxd.net, optimizely.com... now imagine if your printed newspaper shot at you a GPS receiver with a mic, a cam, etc. Surely it wouldn't be morally wrong to duck and avoid that bug?
You're still susceptible to ad-blocking if you serve an plain image ad from your own domain though, which sucks for those of us who do it. If there is a way to alert users that you vet, self-serve, and don't use animated ads, I'd love to know about it :)
Uhm, I use uBlock Origin and when going to the site in your profile I don't see any image blocking (just google analytics and social media plugins). The ads in the sidebar (id="ws_widget__ad_codes-3"?) display just fine, and I would say that your site is the perfect example of how ads should be: highly relevant, static, well designed, correctly integrated in the look and feel of the page...
The last time I checked with Adblock or Adblock plus (I don't remember which) I seem to remember it filtering out commonly used indicators of ads like divs with ad-related names or filenames containing _300x250_ etc... I could be mistaken though.
Thanks for the kind words too, I've really tried to make the site a place that I would personally like to browse and am glad to hear other people feel the advertising is nicely done.
I happen to disagree with that method of blocking ads because of false negatives and false positives; isn't the solution simply to remove the offending patterns from your filenames?
I'll add to the praise for your site. Your ads remind me somewhat of those from The Deck [1], although yours are nicer because they're 1st-party. Are you able to share any info. about the model? Do advertisers pay per click or per impression? If the latter, how do you prove your traffic figures to them, or have you built up a suitable level of trust?
Yeah, filename changing is what I would end up doing.
As far as the model is concerned, a lot of the industry is familiar with magazine advertising so I just go with a monthly rate to keep things simple. There is trust involved, though most run a trial before committing to anything longer-term so they are able to see if the level of generated activity meets their expectations.
It is much easier to do this kind of advertising because the content itself is so narrow that the readership ends up being narrow, whereas a general site like BBC or CNN you end up having a wide audience and then end up needing tracking tools to help narrow the audience into smaller groups.
Ads are usually filtered by the serving URL, so ads such as yours shouldn't be blocked. I just tested the site in your profile as well, and the ads were there, even with uBlock enabled. There weren't any visual differences loading the page with/without it.
In mitigation I run a smallish B2B news site and I only run ads we've sold direct (and vetted) and Google Adsense to fill some of the unsold inventory. However, I found out not too long ago that Adsense now throws stuff from literally hundreds of ad networks at its clients, which is definitely not what I expected when I signed up all those years ago. I've had to go in and manually turn them off, and will soon be turning off Adsense altogether. I'm not seeking to maximise my display advertising revenue though, as I've observed it usually comes at the expense of irritating readers.
Not everyone has the ability or desire to personally sell ads. I think it's pretty cool that today you can earn maybe $1000/mo with a moderately popular website you run yourself.
I wonder why The Guardian isn't (at the time of writing) allowing comments on that article. Could it be because their business model has an over-reliance on people not using ad-blockers?
Probably because the comments would make them look bad. That seems the general reason for a Guardian article having/not having comments. If they think the userbase are likely to agree with the writer they'll be on, and if they think the userbase is likely to eviscorate them (or in cases like this, talk about adblockers and stuff), then they'll turn them off.
It's nowhere near that simple, unfortunately. They have comments enabled on many news stories. They moderate very heavily, and as a result use a complicated system whereby comments may or may not be enabled on a given article at a given point in time, depending on a) how 'controversial' the subject is b) moderator availability.
a) I like to limit the number of random extension I install on my browser.
b) The fact that Forbes turned on an adblock-blocker shows me that they are seeing a significant revenue hit on account of adblocking, which will force them to do paywalled content sooner or later. I don't value Forbes content that much (in fact, it's often click-baity), so I'd like to wean myself off it sooner rather than later.
Yep. I haven't even attempted to click on a Forbes link (shared, or recommended) in ages. Any site that still serves interstitials also gets promptly sent to the pits of despair or dev/null.
It's weird to me that we keep treating the sites that run malvertising as victims instead of fully complicit. If the print edition of the New York Times ran, say, a full-page ad for the KKK,* and responded to the outrage with "haha, sorry, we outsourced our advertising to a third party with no oversight," they'd be crucified. But somehow websites are exempt from responsibility for the things that they publish.
Has anyone proposed getting sites that serve e.g. ransomware to pay the ransoms for everyone affected? That seems entirely reasonable.
Shocking that the BBC is affected by this, given that it should be advertising-free. Presumably, this affected non-UK residents[1], but as a public service the BBC should have much higher standards when it comes to advertising.
[1] With the obvious caveat that a website can't reliably determine that.
Aren't all world-facing websites "a public service"? BBC within UK has a special remit because of the funding structure (thanks to the increasingly-inaccurately named "TV" licensing fees), but BBC [Worldwide] is just another content provider in the big old crazy world.
It doesn't seem surprising that BBCW use an external advertising network: it would be a pretty huge investment to operate their own advertising markets throughout the world ... and surely if they did, they'd then on-sell those services!
Seems that the notable part of this attack is that several high-profile websites were affected, so BBC (and NYT, and AOL, etc) suffered some damage to their brand, so they'll have to work on that. The article notes that "malware was delivered through multiple ad networks", which speaks to failures by those service providers. Reckon there will be some very heated conversations and perhaps fee renegotiations with the networks happening over the next few weeks ;-)
> it would be a pretty huge investment to operate their own advertising markets throughout the world
It is becoming clearer and clearer to me that this is one of possibly two options left for businesses wishing to make money online via advertising. Self-hosted adverts are probably the best way to regain trust and circumvent ad-blockers. A quality, trustworthy third-party network is the only other possible option I can imagine, but that seems far less viable.
I'm sure that most networks start off with such lofty ideals, maybe they even believe them ... :-o
EDIT: To expand a little on the previous thought: you were shocked that the BBC website was serving up dodgy ads, presuming maybe that they'd have their own curated advertising portfolio. Closest comparison I can think of is perhaps the Economist website, also London-based, and no small prestige branding that they make sure to protect by only showing ads for Lexuses and Rolices (Rolexen?). The major differences of course are that Economist is somewhat more up-market, and the ads are seen locally in the UK.
I can't readily find any figures on how much cash BBCW makes off website ads, but I'd have to assume that it's burger money -- a few quid here and there for negligible effort, and after all who cares if the brand is tarnished abroad?! If on the other hand BBCW went into the ad curation business, and even if it happened to be profitable, there's every chance that voters or MPs would get stroppy about it, and BBC gets a hard time going into the next licence fee negotiations. Ultimately, BBC's brand outside the UK isn't something that the UK public necessarily worries about.
> You will have noticed that the BBC website features a limited amount of advertising when viewed from outside the UK.
There's a bunch of people outside the UK who use BBC content and who want a way to pay the BBC. It's a shame the BBC uses ads (which are pretty horrible) rather than working out a better payment (or even micro payment) system. The BBC said this in 2014:
> Can I pay a subscription to view the site without ads?
> We're unable to provide a subscription service at the moment but will be able to do so in the future. As soon as the service is ready we'll communicate it to all our international users.
> The vector of attack, through compromised ad networks, will also serve to inflame the debate around adblockers.
This is the largest reason I install adblockers on my own laptop and phone as well as everyone in my family. I allow zero exceptions for ads. I'm willing to pay for content via other means (for example google contributor), but attack surface is simply too large.
I actually use adblockers on my phones for a different reason. On my phone I'm reasonably sure I won't be affected by malware (up to date Nexus and I know not to install unknown applications), but ads take up data and slow down browsing.
One of the things I've long known as a programmer for the web is that when you let a third party put content on your web site, you don't have control over what they do.
Whether it's a person entering content and you fail to sanitize it, or pulling in ads from an external network, the end result is that you get something like this eventually.
I don't have a solution, really, because nobody wants to pay for content, so sites have to use ad networks. But I'm surprised this hasn't happened much sooner.
If it's not served from the domain I've visited, I don't want it. If it is served from the domain I've visited but not over SSL, I don't want it. Then the certificate owner should be responsible for any damage resulting from the stuff signed by their key.
This gets tricky with things like imbedded youtube and twitter content. I would be right with you blocking content not from the same domain, but I will constantly be clicking off page to watch a video or view a tweet, etc.
If they serve their own JS from their own servers, let it be. Others (Facebook connect, GAnalytics an Twitter seems to be _everywhere_): walk away.
This obviously renders most of the sites to bare HTML due to the excessive and unneeded use of CDNs, and is a massive pain to use for the first weeks, but after a while the whitelist gets you to a friendly web level.
uBlock also runs in the background, just in case things leak through, or I quickly want to check something and I need to turn Policeman off.
If you use a modern browser you probably don't need the polyfills anyway, so why are you concerned about blocking them?
While not necessarily related to privacy, I've found sites where blocking self-served JS creates a better browsing experience because it gets rid of annoying effects and things like scrolljacking.
I wonder how much JavaScript is only being used to produce a small number of common effects. In other words, how necessary is it really for sites to execute arbitrary code?
Maybe we have reached the point where browsers should implement the top 10-20 effects in standard ways (that of course the user can choose to override). That would make it feasible for many web sites to avoid JavaScript entirely and still produce the effects they want, and let us move away from this “execute arbitrary remote code by default” aspect of web pages.
HTML5 has been going in exactly this direction re: form inputs (@autofocus, @required) but, yes, I agree that it would be nice to extend that to, for example, some of the core ui interactions present in frameworks such as bootstrap.
We can already do a bunch of effects that used to be done with JS using CSS alone (transition, animations, etc.).
Most of the JS that we do on websites those days is really helpful for the end user and are the result of the recommendation of UX specialists. (form management, navigational help, async loading of content, preloading content, front-end browser geolocalisation, better responsive for mobile, etc.)
Agree, using Firefox with noscript visit 80% of sites are 4-15 times faster than chrome on load time for me. If a site demands to load a lot of js scripts from others, I see it as a huge warning sign.
Actually the web doesn't look too bad without javascript. It's not only safer, but you get no annoying pop ups, no text moving as you read it, etc. You basically get raw HTML+CSS.
Except when some idiot thought that he needed to create a complex SPA to render a blog article. But is the opinion of such an idiot really worth reading?
With uBlock you rely on someone manually maintaining a blacklist of domains. So it's only as safe as this person is quick to update its list and your uBlock to load the new lists.
There is zero reason to require javascript to display a few paragraphs of text. You might enhance it with javascript but that wouldn't be a problem when viewed without. The blogs designed by an idiot I am referring to are blogs that will display a white page with javascript disabled.
I mean, if your day-to-day tasks are as basic as reading some text, than carry on. But if you're doing anything reasonably complicated or modern, it just won't work.
Chrome has a convenient way to add exemptions. I wish they had slightly richer features, like temporary exemptions or exemptions for first party scripts only.
A lot of this has to do with these sites using ad networks instead of/along with selling ads directly. Ad networks are very common with consumer sites, but many B2B sites don't use any at all. When you work directly with the agency or company (and you know they're a real agency or company), this doesn't happen.
Whenever I read stuff like this, I first wonder if my setup would be vulnerable to the attack, and if not, how much stuff I would have to turn off to be vulnerable? Chrome Stable + uBlock Origin + plugins disabled by default seems to be safe from everything but targeted zero-days. At least, I hope.
BBC's ads appear to come from Google's ad network. I'm curious how much effort Google puts into monitoring/policing the landing urls for this sort of thing.
I hope AdBlock (and/or similar) works out a deal with respective companies involved (Mozilla, Apple, etc) in order to be pre-installed in future downloads of major web browsers. In addition to visual chaos and privacy concerns, the risk of compromised systems due to malware via ads is too damn high and non-tech savvy users shouldn't have to suffer for it.
Despite all of the talk about "blocking the ad blockers", I've yet to receive a phone call from anyone saying this or another web site didn't work, "Can you fix it?" I'm guessing their usage is limited enough that they don't encounter it (my dad does visit Forbes, but I haven't heard complaints).
There's no way I'd surf the internet these days without ad blocking enabled and I rarely white-list sites out of concern for my data. It's becoming as important as personal firewalls / antivirus once were.
[1] There was a brief period during the time that they received the malware that MSN had been hit by malvertizing and they had that as their homepage, but it could have come from elsewhere. The bottom line was that there were no sites in the riskier categories that were in their browsing history and my parent's proficiency does not include a good understanding of "incognito browsing".