Seems more taking a plant to your house while knowing it will listen to you, while there is plant that won't listen to you but that you have to pay for.
That listening device is the cost of the plant... don't like it? Then pay to avoid it...
It's that simple, there's no alternative. They have to pay to make that content and send it to you. If it's not advertising that pay for it, that cash won't appear out of thin air. Someone needs to pay for it and if it's not an advertiser that does, it needs to be you.
There's plenty of news agency that offer paid membership without ads, go for them.
There's plenty of people that can't afford to pay or that just doesn't have the means to. I remember the amount of content I was able to learn because advertising was subsidizing it. My parent were sadly against paying on the internet and I'm far from being the only one that learned that way.
> Sites bemoan ad blockers but then take no responsibility fo the ads that are show. That needs to change - it’s not like print advertising.
It has been changing and improving for years.
Your statement is true for the ad content for sure. (Though sites do take flack for inappropriate ad content, just like print publications have.)
This is irrelevant to the OP’s link, though, since it’s not a keylogger and keyloggers aren’t actually possible.
Ads are subject to the security rules imposed by the browser, and for the most part every abuse that ads have attempted have been shut down. Sometimes not as fast as we’d like, I admit, but for the most part I think the system is working.
Ads can no longer play audio, they can’t see data passing between me and the site they’re embedded into, they can’t abuse popups anymore, etc., etc.. Every time an advertiser comes up with some new annoying way to try and get extra attention, the good folks designing the web and making the browsers patch the hole.
I like that the web standards and browsers, and laws to some extent, are where the responsibility lies, and I wouldn’t want to have individual sites taking responsibility for the security of ads.
As for bemoaning ad blockers, at least keep in mind the ads in ad-supported free content is their revenue stream, and that the majority of ads aren’t malicious. Personally, I’d love to see a better free business model than ad-supported free content. In the mean time, paying directly for ad-free content, and putting up with ads are our main options.
Change or not, I think the trend is not to trust ads anymore. I question whether or not it’s feasible in the long term to sustain a model based on tracking people, selling their data, and calling that “advertising.”
Oh and if you want to see what CNN is crapping out without the cruft, lite.cnn.io works well.
Surveillance is helpful information gathering and customer profiling in order to understand customer needs better. This enables us to put more relevant ads in front of your eyes. It also helps us to understand when is most convenient to sneak in the middle of the night and harvest your and your family's vital organs, as permitted by the service agreement you signed.
Bad ads appear with every ad network, and ad networks are lazy to stop it because they know that sites will take all the blame (your comment is a great example). Pop into /r/adops sometime (or the associated slack channel) and watch site owners working nonstop to try to find a solution to this problem. It's mostly a game of whack-a-mole at this point with no real long-term solution in sight.
Google's monopoly status means it fulfills 90+% of the ads. I can guarantee you that CNN has no control. There is no competition. So, erm, maybe the onus is on Google?
Surely a company as big as CNN can run their own ad service instead of contracting it out. Do they pass the buck like this for ads on their TV channel?
They probably do run it. Just they are looking for the highest paying ads that don't have a boob in them or a penis. If the highest paying ad is a keylogger, that's generally not what they're looking for when they're filtering it out.
I think you could name multiple competitive players in lots of areas that aren't your core business. You can't name any others in ad services because Google is a monopolist.
> I think you could name multiple competitive players in lots of areas that aren't your core business. You can't name any others in ad services because Google is a monopolist.
That is totally silly - What in the world makes you think I think about the advertisement industry more than the absolute minimum amount possible?
Anyway, the other options are:
- They run their own ad platform
- They don't run ads
Tons of malvertising comes through Google. When one company owns the whole space, finding just one vulnerability is enormously economically attractive.
Just to be clear, I think they are talking about advertisements placed via Google's platform, not ad campaigns by Google.
I think there is only one way to solve this: programmatic ads cannot contain executable code (no access to local storage or network) and ads must come from the same origin as the page they are on. For example, YouTube will host an ad for Subaru on YouTube's servers. The sticking point as people have pointed to me before on HN is fraud. The customer (in this case Subaru) does not trust Google to be honest in counting the number of impressions.
Perhaps what we need is legislation banning this behavior across the board. When no ad vendor is able to allow customers to do what they please on user's web browsers, the customer has no recourse other than to accept that this is not possible. I don't know how such a legislation would work though. Perhaps it needs to be an industry alliance instead of legislation?
Again, I still doubt that Google places ads with key loggers via their platform. Maybe I misunderstand something about how they operate though, and I can't recreate anything close to what the original article shows. In fact, I can't even load cnn.com right now.
Lots of speculation here, not much analysis, even from lazy gits like me.
Chrome web inspector kindly gives the "Initiator" for every request. In this case it's cnn-header-second.min.js. Load that, and Chrome again kindly detects minified JS and offers to pretty-print it.
The context here appears to be some kind of ad console tool, added by CNN, not by an ad. The relevant function is at https://pastebin.com/EwgPAM6T
It's a bit obfuscated/minified, and they don't seem to have a non-minified version available, so it's not clear exactly what functionality this is enabling.
Either way, not really a keylogger if it's not capturing all keystrokes and shipping them off somewhere.
Functionality is to enable an "AdFuel Creative Review" form when typing "d o h" anywhere on the page. Try it. Then click the blue icon in the lower right.
This is a prime example of how people so easily accept a headline shared on some news authority to be truth. Even the bright minds at hacker news are duped - just look at all the discussion happening here with the assumption the headline is correct.
The guy who tweeted this jumped to a conclusion, naively shared his discovery, then let it perpetuate leaving numerous victims of an erroneously altered world-view.
I seriously think people shouldn't be able to comment / see comments on HN unless they've at least clicked on the darn link. I took one look at the "keylogger" source code and recognized it.
The point stands, but that's not really a keylogger. It's a library to manage keyboard inputs. Of course, it could also send all key info somewhere externally too.
But in what universe would an individual ad need that? This seems like precisely the sort of thing that a third party ad would be prevented from doing.
I'm skeptical that this is a) from a banner ad and not from operation of the site b) a full blown keylogger and not a library included that is used for something like a photo gallery (that may have ads in it)
To be fair, when they're desperate real world newspapers are like this too.
A flush successful newspaper will make a deal of its editorial independence and insist you write "Advertising Feature" in big letters at the top of your full page ad, use a completely different typeface and give your company's name, but when money is tight the guy selling those adverts is under pressure to compromise. What if it says "Sponsored content" rather than "Advertising Feature"? And rather than big letters at the top, how about small disclosure text at the bottom? The typeface could be a very good clone of your normal editorial typeface, and still count as "different" right? And lets have a byline which says "Our staff", that's vague, and the poor reader might think it means it was written by journalists, but it doesn't strictly _say_ that, it just says "Staff" which could be anybody...
This is how internationally famous British newspapers end up running content literally written in Beijing or Moscow to let everybody know how free and wonderful those countries are, using weasel words like "in co-operation with". And if the _actual_ news is a bit awkward? Well, you wouldn't want that lucrative sponsored content deal to lapse would you? Maybe a brief mention on page 14 is enough, even if those newspapers which still have a backbone ran it on their front page.
It appears to be getting the keypress.js library from ssl.cdn.turner.com. Not clear if the data is being exfiltrated, though, just by looking at that tweet.
Exactly it is incorrect to jump to the conlusion that they are using a keylogger. I mean, they're loading a JS library that allows to handle keypress events; but if you talk about a keylogger everyone assumes that they're stealing your keystrokes.
What needs to be done is to navigate the site and typing a given char sequence on every page while logging the HTTP traffic, then do a search for that sequence to see if it appears in any request. That's the basic thing you could do to actually verify if there is a keylogger.
So basically, it's just an event-capturing interface to what you can do natively in the browser already. It doesn't necessarily mean anything is being logged. The code using the library would need to be inspected—whatever callbacks are being fired, etc.
What kind of functionality? This is just a generic library for more easily managing keyboard input, JavaScript itself supports the same but in a more clunky way.
Keyboard shortcuts instead of onclick handlers. Unless someone is using Vimium there is no way to use a keyboard to navigate the web without explicitly defined keypress handlers.
I would suggest their "lite" [1] version. It is compatible with addons like NoScript, uMatrix, uBlock, Canvas Fingerprint Defender, CSS Exfil Protection, Privacy Settings and Self Destructing Cookies. I am using FF 52 ESR. Some of these addons may not work in 58+.
They could improve their HTTP header settings a bit. [2]
Iframed banner ads can’t log keystrokes outside their frame, browsers don’t allow that. And no site in their right mind would include ads that aren’t iframed.
A keylogger would be possible if there was some kind of zero day exploit, but this isn’t that, it sound like the tweeter didn’t do their due diligence. I’m curious how someone gets as far as looking through the minified JavaScript without knowing the browser doesn’t allow that, obviously(?), otherwise all your passwords and information would have been compromised long ago.
as someone who claims they are a programmer and researcher... you would think they would have done some more research on this and also have common sense to know that this isn't a keylogger.
CNN, like the vast majority of news sites, is best viewed with javascript disabled. Pages load 10X faster, scrolling is not jumpy, the CPU doesn't go crazy, and text reads just as well. It is hands down a much improved user experience.
Advertising has ruined every medium it has ever touched. It will ruin the web. It is only a matter of time. It did not destroy ancient network television overnight. It did not destroy cable tv overnight.
The last time I saw cable tv a few years back, it had become so bad that after a long run of ads, they would then put bugs and walk on people right over the content of the show you were watching. Sometimes obscuring important content within that show.
Which is why NF is so successful and cable is bleeding from the arteries. Consumers want to choose their device, on their schedule, without tampering with the content, and they want good and timely selection of content. They will pay well for this.
press shift-control-z on cnn.com and you will get what this supposed keylogger is (hint - its not a keylogger or comgin from an ad) but merely a cnn internal tool..
They come in waves and go away when ad exchanges figure out how to block them. It isn't usually tied to a single publisher, as they are bought and sold across ad exchanges that reach most of the ad funded web. They are extremely difficult for even manual reviewers to spot and reproduce, so the whole industry works to stop them together. Then new ones pop up.
