Sites like Last.fm, The Times of Israel and The Jerusalem Post who use Google's ad netwok Doubleclick apparently served malware since late August. It's certainly not the first time that an ad network serves malicious code, but it's one of the most high profile occurences.
Worse, the ads were served by Google whose $60 billion business is completely dependent on ad income.
The impact of the malicious code is unclear, but even if estimates of 'just' 5% effectively compromised user systems are correct, these numbers are still way too high.
The risk of allowing ads on your system is basically too high to be acceptable if you care for a stable computer without infections, privacy leaks or other compromises. Ad blockers can and will stop this and are a better first point of defense than virusscanners. So can we still afford to surf the net without an ad blocker?
And the $60 billion Google question: is an internet with automatically served ads viable if people start to defend their systems with ad blockers?
It's not only Google which will hurt from millions of people installing ad blockers, the web pages running these ads lose their business model.
How can the 201x web progress if ads are more dangerous than the downloads of the last decade were. Will we need a new business model?
Background info on the malware: https://blog.malwarebytes.org/malvertising-2/2014/09/large-malvertising-campaign-under-way-involving-doubleclick-and-zedo/ #Tech
Chromebooks FTW! (Again.)
And how is that supposed to help? Chrome is just as vulnerable as other operating systems against threats you (the user) allow through ads.
+Max Huijgen Really? sigh
This type of Malware… practically any malware, really… is incapable of executing on a Chromebook.
I would think someone so interested in privacy would know what the most secure systems to use were.
Back in the days when ads where just simple animated GIFs there were (almost) no problems with them. Why don't we go back to that? The possibility to add code to an ad is a recipe for disaster which has been proven a lot of times already.
+Eli Fennell if the browser fails (which is often the case with malware attacks on Chrome), the OS can't protect you.
… What exactlt would that malware technically do?
+Riël Notermans load more malware on your system like Win32/Kuluoz, Win32/Zbot, Win32/Rovnix, or others. Together they compromise your privacy, financial security and your contacts.
"[…] if ads are more dangerous than the downloads of the last decade"
Except that they're not. While it is important that we keep working hard to improve the security model, this is by no means as bad an exploit as the kind traditionally borne by binary downloads.
Ad blockers are incompatible with my company's Intranet server's Citrix plugins; I am prevented from having them on my computer as I work from home remotely. My AVG business Edition does a good job of catching malware, though, and Malawarebytes is a great tool.
+Max Huijgen none of those would do anything on a Chromebook. Try again
God bless Max Huijgen
Yet another instance of Gresham's Law at work.
+Patrick Schmitz Those animated gifs were (and remain) annoying enough. I kill anything that moves. Actually wrote CSS to blank all gifs on G+ until I hover over them (based on the file extension). Animations which aren't gifs still sneak through, I flag them as spam.
"If the browser fails…, the OS can't protect you. "
+Max Huijgen, that is not true. OSes and processes implement sandboxes to limit leakage from compromise. They also have DEP, ASLR, UAC, etc which all work to limit damage from process compromise.
+Max Huijgen Your last statement to me was beyond idiotic.
+Max Huijgen You have a completely wrong estimate about Adblockers in general. Sorry.
For example, the most popular adblocker "Adblock Plus" is owned by a group of investors who earn their money with advertisements, including script redirects, links to malware sites, popups, layers etc.
Adblockers, in their current state, are just shabby gatekeepers, created to re-allocate billions of dollars via blacklists and whitelists (which are turned on by default and re-activated automatically). The battle has just begun.
Furthermore, this incident does only show one thing: advertising agencies and their service contractors like Zedo pocket billions of dollars inside the advertising pyramid, but don't do their job. The biggest agencies are stock companies and have to, first of all, care about their own stock price (edit: 2011, jpg, http://goo.gl/i5aoPl). Each level of security costs money. Even "better" advertisements would cost money, that's why we don't see them.
While adblockers only harm the publishers, the money still silts up above this layer. Adblockers won't change anything, just the opposite: they concrete the status quo.
—
Edit: +Danny Sullivan had his own experience with Zedo years ago, obviously nothing has changed: http://goo.gl/7yln38
The solution won't be Adblockers. The solution would be big reputable advertisers like +Sony, +Disney, +Apple, +Dell or +Chrysler who quit the contracts with their agencies if these agencies won't start to clean up their front yard.
+Sean McGuire THANK YOU!
+Bernd Rubel Was there a rational point buried somewhere in there?
If you're trying to argue that ABP is slipping ads to me on the sly, it's not. And if it is, I shoot those dead as well.
+Edward Morbius If it's not, you have disabled the whitelist, that is enabled by default during the installation. 99% of all users have them enabled and companies pay a lot of money to ABP to be included.
Last year the whitelist was quietly reactivated in millions of chrome browsers, "because of a bug", that couldn't be reverted. The staff of ABP created dozens of fake identities to spread hundreds of fake reviews for ABP in guest posts around the world.
ABP is part of the advertising industry, not their opponent, establishing the big players and harming the small. In fact it's an advertising network, that earns millions of dollars.
edit: btw, it's an open secret that your adblocker – like any other browser plugin – is one of the most important signals to get your browser fingerprint. https://panopticlick.eff.org/
While your adblocker's blacklist will only protect you from third party tracking, the big publishers already track you on their own server and synchronize the data directly with the ad servers, in the background, in real time.
+Bernd Rubel Checking my config: there are no domains whitelisted, and the "allow some non-intrusive advertising" option is deselected.
Mind: yes, I do generally check software features when installing and configuring stuff. I realize that puts me in a very small minority (I also run Linux and smell funny).
I still don't get what you're ranting about, as ABP actually is functioning as, to pardon the phrase, advertised. And if it didn't, I'm pretty damned sure a bunch of alternatives would emerge. I find multiple pages of hits for 'ad block' checking the Chrome web store (50+ actually, though some seem at best tangentially related to what I'm looking for).
Sorry, fail.
+Edward Morbius yes, you're the minority. That's an elementary part of ABP's concept in general.
See, i know more about adblockers than you will ever do, accept it. I know everything about their market share, how they work, who is affected, who is doing business with whom, why people install them (driven by annoying advertisements coming from the same people who own ABP, by the same global players and agencies who are placed inside the whitelist).
Whether your whitelist is activated or not, while you think "it's functioning" you're just one small mercenary in a lazy blackmail army with millions of users, instrumentalized by a small group of advertising companies who allocate the global advertising budgets.
Let me give you an example:
I read a lot of your comments, i know how much you like reddit. By using ABP without whitelist, you are just someone we called a "leecher" years ago, just abusing the service. If you activate your whitelist, you'll see "decent" ads there, because reddit paid to be included.
Oh, you added reddit to your whitelist manually, to support them? Then (and with an activated default whitelist) you support Condé Nast, one of the biggest publishing networks of the world, running Vogue, Glamour, GQ and Golf Digest – and reddit. While supporting them, you refuse to "support" the millions of small websites that are linked on reddit, that deliver the content for all the "profound discussions" you love so much, as you stated several times.
This behaviour, multiplicated several million times, leads to a shift of advertising budgets from small websites to big websites, from small (perhaps innovative) agencies to the big players.
Sorry, fail.
+Bernd Rubel You've got no fucking idea of who I am or what I know.
You are an idiot.
/sub
No +Eli Fennell…AdBlockPlus FTW. 😉
+Edward Morbius I don't care "who you are", i don't even care "what you know", in general. You're wrong this time, or at least you don't care that your adblocker is not the shiny white knight that is "just functioning".
I add you to my list of people who called me an idiot and blocked me.
Hahaha, this is what I get for not reading all the comments. 😀 Will do a little looking into it.
+Bernd Rubel you have a list of those? I guess you spend too much time here.
+Lucas Appelmann Yes. but it has only one entry, since today.
"God bless Max Huijgen" Man is a life saver.
Gatekeepersprotect my tech from your malware. You can bet your last bean pie, +Adblock Plus will be locked & loaded.Good luck in your search, "Internet ad malware Stockholm Syndrome" victims. +Max Huijgen G+ page contains none.
I didn't want to return to this thread and G+ in general as I wasn't happy with the 'conversation' which followed.
If people call you 'idiotic', call others who comment 'idiots', proclaim that I don't understand the subject, etc you're basically ruining the interesting debates I often see under my posts.
As a free flow of ideas is central to me and my presence on G+ I don't accept a degeneration of my threads to name calling contests.
Most posts create interesting, sometimes heated exchanges of ideas, a few go wrong.
After looking at the rare derailed discussions there are some common elements: the subject, – everything Google related- and some contributors.
From here on I have blocked +Eli Fennel as he is often the first in the 'insults instead of arguments' category. I will also moderate future posts on derailments. Arguments, debates, hyperboles, all is fine, but no ad hominems.
+Bernd Rubel I'm not with stupid and I don't use Adblock Plus myself but Adblock which is a different product. I'm fully aware of the issues you mention but this post was not a review of ad blockers.
Your introduction of your comment would make me remove it next time. The rest of it is fine as no doubt someone learned something from it and it was related to the topic.
+Sean McGuire the security model of Chrome OS is based on the sandboxing inherent in the Chrome browser. Hence my remark that if the browser fails, that OS is compromised.
For other operating systems this isn't true, but I was responding to Eli's claim about Chrome OS.
However even on secure OS, once your browser is compromised you effectively lost (part of) control over your system. IF users used decently configured systems access to executables can be stopped, but a compromised browser is in itself a major problem in terms of privacy.
+Edouard Tavinor No, you can't run windows executables on Chrome OS, duh! Did I say so?
Browser takeovers through ads are possible on every OS and all that protects a relatively unknown OS is lack of market share making it uninteresting to exploit them. It doesn't change the principle of it.
Chrome tabs are sandboxed. It is inpossible yet for an app to get to the system.
Exactly +Riël Notermans Tabs are sandboxed. Once you break out of the browser, you have access, so Chrome OS won't help you.
And breaking out of any sandbox is possible as has been consistently shown in the past.
Maybe. Still the millions are on the table.
http://www.digitaltrends.com/web/can-hack-chrome-os-google-puts-2-72m-bounty/
It's about architecture. Not being able to run stuff on a CB makes it damn hard to actually do something. With more API's the chance will be bigger.
C'mon +Riël Notermans undocumented API's won't secure a system.
In other competitions which are commercially more interesting for the bug hunters Chrome has been compromised.
It's not about architecture, it's about commercial interest. Why would anyone want to spent serious resources on breaking into a OS which is hardly commercially used?
+Max Huijgen Since the Chrome browser is open source, the APIs in question aren't undocumented. In fact I don't run "Chrome" itself but the "Chromium" port which is independently maintained. Note the distinction between Chrome the browser and Chrome the OS, which I'm less familiar with. Mis-use of branding to cover two totally independent technologies (much as Java is a language, interpreter, and VM, not to mention the totally separate "javascript").
+Riël Notermans's point that tabs are sandboxed is, at least on design points, pretty well taken. Yes, security holes can and do happen, but if they exist they're explicitly against design intent. And while I'm a bit out of my technical depth, protecting users from malicious external content is a valid security model, as contrasted with protecting external content from a user (DRM / Digital Restrictions Management), which has time and again failed not only in implementation but in architecture.
One of the more notable results of the Chrome security model is that I cannot invoke vim as my browser editor as I'd prefer. Firefox has plugins which enable this precisely because it allows interaction with the external environment. A number of other Chrome limitations also apparently spring from this characteristic.
And while we're at it, good call on blocking Fennel. He'd crossed my threshold long ago, as he had numerous others' I correspond with. Bernd had been on my watch list for quite some time, the exchange above was merely the final straw.
I've done further investigation of his allegations about AdBlock, incidentally, and cannot substantiate them. It's an independent non-profit best I can tell, not an "ad supported tool", and frankly his disparagement is without basis and harmful to its reputation.
I used to be an Iron user +Edward Morbius so I know that Chrome the brower is open source.
Chromium OS seems to be dead.
+Max Huijgen I can read Edward Morbius' comments only in incognito mode, because he blocked me. I don't know if he does this unwittingly or intentionally now, but neither he nor i were talking about "Adblock" before.
We talked about "the most popular adblocker Adblock Plus (ABP)". For example, Adblock has no option to "allow some non-intrusive advertising" Edward mentioned at 20140920, 04:34h – this is an option of Adblock Plus.
Adblock Plus (ABP) is by far no "independent non-profit" project, it's a product of the german Eyeo GmbH. The company, whose only product is ABP, had a circulating capital of more than 4 million euros, according to their annual closure 2013 (http://www.bundesanzeiger.de).
If Edward would do a further investigation – not only "incidentally", but intentionally – he would find several sources that prove every single word i said before.
Is Adblock Plus a Scam? Is Internet Advertisement Broken
Sorry, fail. Try it again.
(edit) No, don't try it again. I know this kind of discussion with ABP enthusiasts. It's hard to accept that the flagship of the international Open Source Scene sold out and shares its bed with the advertising industry now. And it might be even worse for Edward that others get to know that also his beloved platform Reddit is just a part of a global media and advertising company. Sorry. It's a fact.
+Bernd Rubel You addressed me when you stated I had no clue. Not +Edward Morbius
That was probably because Bernd was blocked, so he couldn't plus-mention Edward any more. So much for that, Max 😉
😉 +Lucas Appelmann
(although in reality he plus mentioned me and followed it with '+Max Huijgen You have a completely wrong estimate about Adblockers in general. Sorry.' even before I said anything about the functionality of specific adblockers.
+Max Huijgen My last comment (02:10 AM) is just a clarification to Edwards comment that totally misrepresents the facts in the comments before. As you also stated before Adblock Plus and Adblock are two completely different products – if Edward confuses them, unwittingly or intentionally, this should be clarified.
My very first comment, where i stated that "You have a completely wrong estimate about Adblockers in general." was a direct reply to your sentence (in bold letters) … if people start to defend their systems with ad blockers.
I focussed on the word "defend", that implies that you "fight" against advertisements with an Adblocker, an Adblocker in general. You don't, if you use ABP, you support advertisements and the same agencies who are responsible for the worst kind of advertisements, in a different way.
"Defend" also implies that you "protect" your system with an Adblocker. You don't, if you use Adblock Plus, because the company already showed that they can update their addon without any user intervention, for their own benefit.
I focussed on Adblock Plus because it's very likely that people install this addon and not another one if you tell them that they can "defend their system" with an Adblocker.
I didn't write this sentence to insult you. Your statement was (for me, personally) mistakable, at least it was too short for people who don't know anything about Adblockers.
… And unfortunately much of this thread is illustrating why blocking people is a dumb and juvenile move.
I understand your explanation +Bernd Rubel, but try to be more positive towards others. Assume that people are smart; most people commenting on my threads are.
I wouldn't spend several minutes of my lifetime to explain and discuss a complicated topic like "Adblocker" if i wouldn't be positive against people and their intellect in general, +Max Huijgen. Including yours, including your commenters and including the people who watched (but didn't comment) this post 4600 times.
My positivity against others has a limit when someone with the reddit logo as a profile picture can call me an idiot only because i demystify his beloved platform (not for the first time). And it also has a limitation when someone who spams all posts with the word "adblock" since several months (search for his name) and who plussed the comment where Edward called me an idiot gets several +1 from you for his really dull and spammy comments.
That said: although you didn't comment during the last part of this "discussion", your (existent and nonexistent) +1s encourage people, with your approvement as the original poster. So if "a free flow of ideas" is so important for you, you should either be a part of the discussion or let the discussion flow independently or stop the discussion at an early point.
At this time i don't know if i have to write a disclaimer here, that my advice in the last paragraph has nothing to do with my appreciation of your intelligence.
+Bernd Rubel I appreciate your efforts and I would probably have lost patience with this thread already but the ratio of time spent vs. new discoveries seems to be diminishing…
+David Kutcher As for blocking: I arrived at it as a solution rather unexpectedly, but given a constant issue of high noise / low signal, aggrevation, and/or just plain personality conflict (in some cases, quite probably touched by psychological dysfunction) it actually makes the overall experience vastly better.
If Google aren't going to keep the kooks out themselves, you can wall them off fairly effectively by other means.
There's a single person whose insights I've found interesting who's blocked me, and that's on account of their personal policy of blocking all pseudonymous accounts. Otherwise, really, no loss.
I suggest you try it some time.
+Edward Morbius no thank you, I'm aware of the consequences: https://plus.google.com/u/0/106704368739672674589/posts/fRG8Nn5nya1
On ABP, assuming Wikipedia's an acceptable source of information, I'd suggest reading it, and yes, actually, it an Adblock are separate:
https://en.wikipedia.org/wiki/Adblock_Plus
I don't find the situation concerning the whitelist unacceptable, and the code itself is in fact open source.
Apologists for advertisers seem troubled by tools that work. I find that a convincing argument for the use of those tools.
+David Kutcher If you're that concerned, you can search for mentions of yourself in an unauthenticated session. I find in general people think about you (or me) rather less than you might think.
That misses private discussions, but then, you wouldn't see those if hadn't blocked them.
You're also making assumptions about motives on the part of whomever blocked you, and all that really can be known is that those vary. I value high signal, low noise, and find that the more I eliminate sources of noise, the better the signal.
Low-quality signal is easy to come by. You're not missing much.
+Edward Morbius perhaps you missed the part about G+ Commenting System. If your website uses it, and you block someone, that person could be slandering you all across your website, public to everyone but you. I'm not making any assumptions, I'm pointing out just one example of how it can cause issues for the blocker.
+David Kutcher always have at least one totally separate browser instance open for only your most trusted sites (that you perform e-commerce/banking on etc.), and that you don't use for anything else so as to avoid browser sec subversions.
This is where you should do your (blog) site maintenance/editing as well, which would then presumably show you a non-logged-in view of comments, even when using the G+ Comments tool.
Just write your own comments through the other, logged-in instance. Asf.
+Alex Schleber yea… good luck with that approach.
+Max Huijgen I guess this thread won't die, eh? 🙂 So I might as well add my vision of the "future of the Web":
Load all pages except for a few trusted/extra-well designed ones through APIs or a simple HTTP GET/scrape exclusively (after studying Browser Plugins for a few weeks in recent months, I view them ALL as a giant security hole/risk/attack-vector that should NEVER be used, except for possibly loading your own, self-designed or vetted versions…).
Simple: Load only the text and images you want (and format them in the best-for-you ways), leave all of the other cruft and security problems behind.
People ignore 99% of Web ads anyway (users are trained toward "ad blindness"), so I don't see how I owed anyone anything in terms of loading their privacy violating (or even malware containing) ads.
In an Attention Economy, attention is the scarce resource, and those ads weren't getting my attention to begin with.
If sites want to monetize (assuming they have anything worth monetizing, most don't…), just make better use of the attention that is provided you if anyone actually reads your stuff, and put an offer for something contextually relevant at the end of the content.
(Push) Ads are dying, and will in due time be completely replaced with Pull VRM models. Search Ads have always been about half of the way there, which is why they've by and large been the only thing working properly on the Web.
App Install Ads being another relative exception (for now).
+David Kutcher why?
+Alex Schleber does browsing your website in incognito mode, perhaps with 100+ blog posts, each with their own G+ Commenting includes, seem like a good usage of time?
+David Kutcher presumably you're only scanning on recent posts with comments left open. Either way, using the separate browser instance for your "devops"/admin is good practice, and no, I am NOT a particularly big fan of the G+ Comments integration (or any other comments "integration" offloading for that matter) either, no matter how big of a semi-faux social proof badge it represents…
+David Kutcher Not my problem / doesn't apply me, but I find your concern touching.
That is a significant bug in G+. One of many.
+Alex Schleber I've shared my quadrification of the browser vision before:
1. A reading/posting interface. Mash-up of Readability + Calibre + Zotero, plus ability to comment/interact/compose. Effectively very little by way of site design, optimized for text, user-specified fonts, colors, widths. Logos and in-line images only.
2. An applications engine. Face it, this is what Web 2.0 sites want in general, though IMO that use should be limited.
3. A commerce app. Sandboxes financial transactions privacy, tracking, etc.
4. Freestanding media player(s). Allows queuing, playback of content.
This is already pretty close to how I operate, except that 3 doesn't exist (I call it "going to the store").
http://www.reddit.com/r/dredmorbius/comments/256lxu/tabbed_browsing_a_lousy_bandaid_over_poor_browser/
+David Kutcher If you cannot review recent, previously unseen comments only on your blog, then it's lacking critical functionality.
reddit offers me this as a subreddit mod for all posts I author. That is, treating myself as the sole submitter to a subreddit (as a blog), I'm notified of all new additions. I can see and review them, and take actions (delete, block user if necessary).
Further, I can automate many of the moderation tasks via AutoModerator bot.
Wow boys – let it fly! …and I was just fine blaming it all on Adobe… #StayingOutOfTheFire #ButStillPresent ;D
+Max Huijgen btw, did you know that Adblock (not Adblock Plus) has extended its calling home functionality and now sends the user's locale, a unique user ID, the AdBlock version, the operating system and whether Google Search ads are being allowed to its manufacturer?
+Bernd Rubel thanks for all of that ABP info BTW. Most interesting/disturbing.
Neeeeeeeerrrrrrrrrrrrrrrrrrddds! :p sorry someone had to say it
Nothing is safe and secure and this is why Google welcomes criticism on their tools.
We have many many tools at hand to not only detect and avoid these insecurities but many tools on how to deal and cope.
It will be patched and the world will move on.
Will people install adblocker? Yes. Everyone? No.
Will new people start using the internet without knowing what an adblocker is? Yes.
If there are any old guys like me around who remember .tiff files you know this scenario played out before.
+Thomas Milne I didn't feel like such a nerd when I realized my otherwise protected clean system had been compromised… I felt like a ninja on a rampage. Perhaps that's still nerdy though… just depends on your definition, I suppose.
As an old hand myself I do advise newcomers to the web to install an adblocker +Thomas Milne and I'm not the only one…