
Forbes asked readers to turn off adblockers then immediately served them malware - temp
http://www.engadget.com/2016/01/08/you-say-advertising-i-say-block-that-malware/
======
Animats
Forbes has come a long way down since the days of Malcolm Forbes, Sr. He did
many exposes of bad business practices. Forbes is now owned by Integrated
Whale Media Investments of Hong Kong.

If you're not that familiar with how ad serving works today, watch this IAB
video.[1] Note how the online auction process works. After information about
the user (location, demographics, income level, previous purchases, what user
has looked at) has been obtained from a data provider, that info is submitted
to an ad exchange. Advertisers then have an opportunity to bid for placing an
ad in that space, and have 10ms to bid.

But sometimes, no advertiser bids in that round. The ad space is now "remnant
space" \- ad space where all the big advertisers declined to buy. Remnant
space is very cheap, maybe 5% of premium space. The first ad exchange goes out
to a second lower-tier ad exchange, where the cycle repeats, at a lower price
point. That's where junky ads and malware get inserted. Remnant-space sellers
include Rubicon, PubMatic, and AdMeld (now owned by Google).

Many publishers are reluctant to set a minimum price and leave ad space
unsold. Rather than fill unsold space with some non-ad content, or a house ad
(Forbes running an ad for some other Forbes publication), they sell the space
to one of those bottom-feeder services. This hurts their reputation and
readership, and probably isn't worth the small revenue it generates.

Forbes covered the issue of ad exchange trust in 2014.[2] Their ad people need
to read their own magazine.

[1]
[https://www.youtube.com/watch?v=-Glgi9RRuJs](https://www.youtube.com/watch?v=-Glgi9RRuJs)
[2] [http://www.forbes.com/sites/roberthof/2014/12/10/can-you-
tru...](http://www.forbes.com/sites/roberthof/2014/12/10/can-you-trust-your-
ad-exchange-new-index-may-provide-the-answer/)

~~~
manigandham
For some clarification (as I've worked in the ad industry for years)

1) Advertisers (actually their ad agencies) use software called a DSP to
connect to ad exchanges and bid on each impression. They have 100-250ms
depending on the exchange's rules.

2) This kind of Real-Time Bidding (RTB) is used for both premium space and
unsold/remnant inventory. The separate "rounds" is going away and there's a
rapid movement to do a unified auction for each impression with all possible
ad buyers (premium to cheap) in a single auction.

3) Lots of publishers do actually set a price floor but this is far more
complicated than binary yes/no for a floor. There's a lot of math/science put
into the online ad auction and yield management space.

4) Many networks don't use RTB and are safe from this.

5) This malware issue isn't because of adtech (the tech part) but rather the
incentives and lack of regulation and enforcement. Lots of politics and
mistrust has required tons of javascript tags just to render a simple banner,
and as we all know, js can do just about anything so it immediately gives a
bad advertiser power to do whatever they want. This is something being worked
on with some newer formats. There's also no consequences of "getting caught".
Most ad networks and bad advertisers are not big corporations but little
companies in other countries that can just change names and come back in a few
days to do it all over again.

------
themartorana
Being that I make money from serving ads, I come at this a bit differently. In
a lot of markets, it's one of the most passive ways to make money, but to be
sure, the creepiness factor has been advertisers' hubris-induced-downfall.

In any case, I haven't seen anyone here mention the ad networks themselves.
Every once and a while we would get a complaint about a bad ad - it wouldn't
dismiss, etc. Over time, we whittled down our network list to ad networks that
strictly test and vet the ads they serve, no matter how much time that takes.

The networks blaming a "rogue advertiser" means they're not even passing ads
on their network through automated malware detection software, and so they
have responsibility here.

Creepiness factor aside, the explosion of networks is a problem, because so
very few are actually providing more than a basic service. We really should be
holding networks responsible for their ads.

We did, and we haven't had a complaint for a very long time.

Edit: this doesn't absolve Forbes, especially if they did nothing to correct
the problem.

Edit 2: by "we should hold the networks responsible" I mean "we the
publishers" \- and as that "we" we still have a responsibility to our
users/consumers. See Edit 1.

~~~
BlackFly
The problem isn't advertisements per se, the problem is advertisement networks
that track users and sell their profiles. The only thing I have installed that
counts as an ad blocker is Ghostery. I still get served advertisements at
conscientious websites like duckduckgo.com or any other place that doesn't
rely 100% on tracking networks.

Imagine if simply because you walked into Target, they hired a private
investigator to follow you around and determine your personal habits, hobbies
and other stores you visited. Imagine if they then used that information to
attempt to lure you into the store, or sold that information to Best Buy so
they could lure you into the store. I think most people would have a problem
with such behavior. Making a more realistic physical analogy would be slipping
an RFID token into your wallet without you noticing and only tracking you in
stores that use the corresponding RFID reader.

In my opinion, tracking networks go the extra mile beyond a creepiness factor.
My visit to your website isn't tacit approval for you to peruse my browsing of
other websites. I shouldn't need to opt out of this behavior by installing
Ghostery in the first place.

~~~
geocar
Individual profiles are rarely sold directly[1], but some demographic is taken
so that the publisher can sell your traffic at a higher rate. This is a good
thing because it means they can make more money with less traffic, _which in
turn means_ that they don't have to appeal to anybody and everybody. This is
(hypothetically) where quality content comes from.

Unfortunately most of the ad industry is really crap at this.

For example, Oracle/Bluekai leak `var bk_results` into the web page allowing
anyone to pick up this data which means that this information can (and is)
often used for much more than just better ads.

[1]: One notable space where they are sold is ABM. Unless you're a decision
maker for an enterprise supply budget, this isn't you.

~~~
sandworm101
It is odd to see advertisers speak of tracking so casually. Tracking is still
new. Up until a few years ago (like 3) the majority of the industry (by money)
did not track users. A huge, but admittedly declining, segment still don't.

Billboards do not track. TV ads do not track. Physical shop fronts do not
track. Radio ads do not track. And a great many website still sell space to
people selling actual products, rather than banner ads, which bypasses all
adblockers.

There are plenty of ways to get your message out, and make money in return,
without inventing new supercookies for me to ferret out of my system.

~~~
a3n
> TV ads do not track.

Are we sure about that? Smart TVs would seem to make this at least possible,
and probably easy.

~~~
J_Darnley
Of course a smart TV tracks you. That's why the manufacturer made it (to earn
money from you over its lifetime). The other features it has are just the bait
on the hook.

~~~
sandworm101
Which is why I tell everyone to avoid SmartTVs and instead use some form of
media player to support networking. It means yet another remote, but given
that my TV remotes have already been usurped by my isp-provided decoder box.
(Also a good idea as players are cheaper to replace than TVs.)

------
m0nty
I can do without Forbes.

The problem with saying "switch off adblocker or no article" is that so many
people are using adblockers, that those websites face an inevitable decline in
influence if they continue that way. Because, despite what they say, it's not
just about the money: it's the ability to influence the debate, whatever it
might be. To have your editorials taken seriously and widely quoted. To make
people listen. They're losing that ability, together with readers and revenue.

~~~
Grishnakh
Are they though? Last I'd heard, it was still a minority of people using ad-
blockers. Techies, sure, but most people are clueless, and only use ad-
blockers when their techie spouses/relatives install them.

~~~
narrowrail
If what you are saying is true, then why would Forbes force this "minority" to
disable their adblocker in the first place?

My understanding is that once Apple allowed this capability on iOS, it became
more prevalent among the non-technical crowd.

~~~
Grishnakh
Probably because corporate executives are asshole control freaks, so even if
it's only 23% (according to the other responder using Forbes' own quote), they
get pissed off and want to "fix" that. Also, nearly a quarter of viewers using
ad-blockers still amounts to a lot of "lost" ad revenue, even if it's still a
minority. (Using scare-quotes since you're not losing something if you never
had it, but corporate executives don't believe that; just ask the MPAA and
RIAA.)

------
userbinator
This reminds me of a time when a site asked me to enable JavaScript for "a
better experience". I had been defaulting to JS off for a long time due to how
effectively it stopped ads and other annoyances, and see these messages a lot,
but this time I was momentarily curious for some reason; I did, only to be
immediately assaulted with a bunch of ads, some crap following the
pointer/scrolling, slide-overs, and other distracting annoyances that I would
not at all call "a better experience". Fortunately I didn't get malware, but
since then I've been much more cautious.

I know many are rather fond of sayings like "JS off will break most sites",
but I challenge you to experience the web with it off by default and turn it
on only for the few sites that absolutely need it; depending on what your most
visited sites are, you may actually enjoy it. I find that the majority of
sites are perfectly readable without JS.

On the other hand, I wonder if there are sites which use JS to hide the
content and display a "turn _off_ JavaScript to view this article", or
"install adblocker to view this article"...

~~~
pdkl95
I've observed that suggesting that JS isn't needed for most pages is one of
the more reliable ways to get downvoted on HN. This is usually acco9mpanied
with a complaint that their "web apps" need JS, similar to the "JS off will
break most sites" fallacy that you mentioned.

The people making those claims probably _believe_ that everything would break
without JS, because they are looking at it from the perspective of a business
or designer. If you consider your own site to be "broken" if the
analytics/tracking doesn't work, or the fad "UX" effects are not rendered,
they it's easy to believe that JS should be mandatory.

This point of view is based on a fundamental misunderstanding of what the web
is. HTML is more concerned with semantic abstractions than the specifics of
how a page renders (use a pdf if you want to control the layout). This was an
important design choice because it recognizes that the _client_ is responsible
for the rendering, which is free to completely ignore the _suggestions_ made
by the page.

Unfortunately, far too many people don't want to accept that they don't
actually have control over the browser.

~~~
ghughes
> This point of view is based on a fundamental misunderstanding of what the
> web is. HTML is more concerned with semantic abstractions than the specifics
> of how a page renders (use a pdf if you want to control the layout). This
> was an important design choice because it recognizes that the client is
> responsible for the rendering, which is free to completely ignore the
> suggestions made by the page.

You are describing the web as it was 25 years ago. No modern browser works
this way.

~~~
pdkl95
That's the fundamental misunderstanding I was talking about. You don't _know_
what browser is being used. Ever. You only know what the user agent decided to
describe itself as and the requests it made to your servers. None of that
tells you anything about what happened on the remote computer.

Besides, "modern browser" is a complete undefined term that is obviously
subject to a lot of interpretation and opinion. Usually this term is used as
either a euphemism for "I really want to put spyware on my website" or "I only
use badly-designed tools".

------
davb
This is rich, being reported by Engadget. I've reached out to them numerous
times to let them know their ad networks try to redirect Chrome (Android)
users to Play Store apps. It doesn't happen all the time, and it doesn't
happen on desktop browsers. But it's frustrating and cheap.

They didn't respond.

------
aczerepinski
Loading forbes.com and scrolling to the bottom of the page requires nearly 500
http requests. Anybody willing to share what it's like to work on a project
like that? I assume that they employ skilled web developers who are aware of
best practices, but aren't empowered to improve things?

~~~
morgante
> Anybody willing to share what it's like to work on a project like that?

I used to work at Business Insider and we definitely had similar problems. It
basically boils down to marketing & advertising being more important to
publishers than technology or user experience.

It's organizationally difficult to resist every marketer who wants to add
"just one line of JavaScript" for their pet project. Then there's the fact
that you're beholden to ad networks and can't do much more than whack-a-mole
when they serve junky ads. Probably once a day we'd notice a bad ad and have
to block it from being served.

At one point, we got management buy-in for me to work on performance issues.
We managed to improve performance by ~90%, but the bulk of the project was
just exhaustively listing every script on the page and axing those which
didn't have a good justification. Amazingly, for a majority of the scripts,
nobody even knew why there were there still (they were often added to please
an old advertiser who wanted a specific measurement).

It's hard to place blame. Developers don't have the political clout to prevent
the bloat and are often under-resourced as it is. Marketers want to gather
metrics, but with the small development teams at most media companies it's
easier to rely on third-party vendors over performant in-house solutions.
Management recognizes the problems, but without marketing and advertising
there's no business model.

Personally, I think ad networks are the ones who should be taking the lead
here: they're big enough that they can afford to block bad advertisers without
endangering their profitability. They should be investing much more in
automated solutions to detect and block bad/heavy ads. Unfortunately, there's
not really an economic incentive for them to do so: users blame publishers for
slow pages, not networks. And ad blocking is much more detrimental to
publishers than the networks.

~~~
tombrossman
Someone needs to give the marketing team a 'budget' just like how they have a
financial budget they must stay within.

300ms average load time added by the marketing team, or 200kb JavaScript, or
whatever. Split it all up however you like, and let them fight amongst
themselves for what goes live on the site.

That won't work for the developers who lack the authority to make this a rule,
but that's what you go to management with along with any of the various
studies showing how important speed is to users.

------
volaski
Forbes comes in first place bar none if you compute (shadiness/brand
visibility). They do all kinds of shady stuff like clickbait titles, shadiest
of the shadiest ad formats, that meaningless interstitial ad, and probably
whole lot more I'm not even aware of. Whenever I somehow land on one of their
pages (I NEVER visit them voluntarily, it's mostly via some clickbait title I
click without thinking), I always think "Just die off already if you can't
figure out how to make money without alienating people who have believed in
you. You're being a disgrace to what Forbes used to be and people who worked
hard to build up that reputation"

------
echochar
In an "Ask HN:" someone is calling for a ban on Forbes.

Forbes has indeed reached a new plateau in stupidity.

Anyone using a text-only browser has seen that Forbes' most recent design
transfers all the content but prevents the page from even displaying in even
the most accomodating browser. The word that comes to my mind for their
approach to web development is "boneheaded".

Quick and dirty script to view Forbes articles, with no ads:

    
    
      curl http://www.forbes.com/sites/... \
      |sed '
      1i\
      <html>
    
      s/\\n/\
      /g;
      s/\\r//g;
      s/\\"/\"/g;
      $a\
      </html>
    
      /./{2,/try {/d;
      /} catch/,$d;}
      ' > 1.html
    

Then view 1.html in your browser.

Why did I call their web design "boneheaded"?

They include two full copies of the article.

And this is before all the ads and God knows what are injected into the page.

------
blisterpeanuts
Maybe people will ultimately resort to scrapers to get to the content. Scrape
it into your favorite text viewer. Of course the layout will keep changing, so
it will become a contest to keep updating the scraper scripts, with websites
dedicated to keeping the latest scripts available. Or is that what Adblock
does already?

~~~
cooper12
Scraping is mostly useful if you're trying to get at some structured data or
something. (Though you might be thinking of "readability" modes which work by
assigning scores to what it thinks is content) For sites like these I figure
that using noscript or a headless browser like w3m can suffice. My layperson
understanding is that Adblock works at the network level by blocking requests
to addresses on its blacklist.

~~~
blisterpeanuts
Unfortunately, text browsers like Lynx and Links have been locked out of many
sites. When I go to forbes.com using links, it lets me click on the "30 under
30" article, but then I get a mostly blank screen and can go no further.

Life on the web must be tough for the sight-impaired, as well. Too bad it's
gone in this direction.

~~~
ksml
This is probably a consequence of relying on AJAX to load content, and not of
using a text-based browser. If I visit Forbes in Firefox with noscript
enabled, I also get a mostly blank screen.

------
paulpauper
Forbes is like a for-profit Wikipedia. Impossible to not see a Forbes result
after when you do a google search. I think I saw a Forbes result when looking
up some obscure string theory query. They are everywhere now. Like a kudzu.
Their gateway pages are annoying, and I'm surprised they don't run afoul of
Google's SEO guidelines.

~~~
hobs
I pretty much never see forbes links unless I am on HN, and usually go "Oh how
quaint."

I most cases I would assume that you have a google search history that is
influencing these results and thinks you like forbes, hah.

~~~
leephillips
I have the same experience - I seldom encounter Forbes in search results. I
wish I could say the same about w3schools, or whatever it's called.

------
kefka
By default, I use comprehensive ad blockers on my client machines. I also
suggest and assist installing them as well on anyone's machine without cost
(normally billable).

A great deal of problems are solved full stop by doing that simple step. And
it also sends the message of , "Not interested". I go to a website to read
content, not to be swayed on what shit to buy immediately or later.

Oh, and punishment for allowing ads are "broken or slow machine clogged with
malware". I'll pass.

------
jimrandomh
This problem is present, to varying but nonzero degrees, in all of the
advertising networks. And they're doing a miserable job of fighting it. I
recently saw malware advertised through AdSense, and decided to try to report
it. There was no mechanism for doing so, and I checked everywhere.

------
jjm
I used to be an avid Forbes reader but then came the ad insanity. One thing is
for sure,

__I will not give up on my ad blocker__

even if it means not visiting and reading the sites whose content I enjoyed or
even canceling my subscriptions. This is a free market, a new entrant will
emerge for me in no time.

------
amluto
Why are ad buyers permitted to provide ads that contain script in the first
place? What was wrong with images?

~~~
lagadu
Not aggressive enough. Gotta force the user to click and/or interact with your
shitty ad!

------
0x0
No comments from Forbes on this?

~~~
J_Darnley
They're probably hoping it will blow over. They might wait for the Internet's
focus to move onto the next scandal and then quietly put out a statement
shifting the blame.

------
aaronchall
I tweeted at them on Christmas day that I'm not going to be turning of my ad-
blocker:

[https://twitter.com/aaronchall/status/679334126374297600](https://twitter.com/aaronchall/status/679334126374297600)

It's my computer, I'm not going to load crap I don't want to load on it. If
they want to block other content for it, I don't have to visit their site.

------
exodust
I won't be turning off my ad blocker, but why can't ad blockers disguise
themselves?

Surely there's a way to trick their site into believing I have a normal
adblock-free browser. Even a per-site whitelist kind of thing, whereby popular
sites with adblock detection can be dealt with via addon scripts - say for
uBlock.

~~~
andrenotgiant
It's just the nature of adblocking.

The adblocker prevents certain JS from loading. Sites can easily check which
JS has loaded.

~~~
facetube
Ad blockers could pretty easily fetch resources and just throw them away to
work around this, or insert workalike shims if it's happening client-side.

~~~
dylz
You'd still have to execute the JS - how do you expect an adblocker to emulate
an abusive tracker like
[http://cdn4.forter.com/script.js?sn=3326ea178bfb](http://cdn4.forter.com/script.js?sn=3326ea178bfb)
(bonus: check out the way it abuses fake sourcemaps to try and hide from
devtools, and additionally log with identifying information via a network
request if you are trying to debug their scripts)

------
johnhenry
Perhaps we're coming to an understanding that third-party advertising isn't
such a great revenue model for the web because it requires users to abandon
security. It's becoming increasingly clear that what we get for free by
allowing these ads simply isn't worth giving up our security.

~~~
oneeyedpigeon
You might have meant this, but the problem isn't strictly third-party
advertising, it's advertising _delivered by_ a third party. Nothing wrong [1]
with company a paying for company b to host an image and deliver it along with
its content, just as offline advertising works.

[1] Well, _less_ wrong ...

~~~
johnhenry
Yes "advertising delivered by a third party" is a more accurate description.

------
ck2
Correct me if I am wrong but no advertiser pays for just showing ads on a
website anymore.

They pay you for clicks.

If someone is blocking ads, they certainly are not going to click just because
you ask them to allow them to be shown or find a way to force them being
shown.

~~~
mpeg
It's not entirely true, while CPC and CPA* ads have been getting more popular
over time, CPM is still the best way to go for many other purposes.

Not everyone cares about getting people to click through to a landing page,
lots of advertising is just about increasing the value of your brand, and if
you want to reach as many people as possible you might not care whether they
engage or not.

* Cost per click, action or mille

------
dafrankenstein2
have faced this recently. didnt turn off adblocker bcoz i've seen 11(as far i
can remember) ads blocked by my adblocker

------
mark_lee
fuck adblockers, I know what they're thinking.

~~~
cbd1984
Nice to see Wendy Sullivan still getting work:

[http://www.metafilter.com/112362/Thats-no-booth-
babe](http://www.metafilter.com/112362/Thats-no-booth-babe)

[http://www.sfweekly.com/sanfrancisco/sex-columnist-violet-
bl...](http://www.sfweekly.com/sanfrancisco/sex-columnist-violet-blue-tries-
to-restrain-online-foes/Content?oid=2168929)

